Linux kernel Extraction Vulnerability (cve-2016-8655)

• Operating Machine :Ubuntu 15.10（内核版本4.2.0）

• chocobo_root: Is the POC file for this trial, which is executed to verify the vulnerability

• 
  

Introduction to Vulnerability

The vulnerability could be used to execute kernel code from an unauthorized process where an attacker could exploit the vulnerability to cause a denial of service (System crash) or elevation to administrator privileges by requiring only local normal permissions.

This vulnerability first appeared in the code of April 19, 2011: [Code address][[HTTPS://GITHUB.COM/TORVALDS/LINUX/COMMIT/F6FB8F100B807378FDA19E83E5AC6828B638603A]

Until November 30, 2016, the repair details should be read: [Details address][https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id= 84AC7260236A49C79EEDE91617700174C2C19B0C]

Vulnerability Hazard

An attacker could exploit the vulnerability to elevate the security of the server by raising the vulnerabilities from ordinary privileges to administrator privileges and executing arbitrary instructions.

Impact Range

The Linux kernel (released on April 19, 2011) began to be affected until the November 30, 2016 fix.

( Note : This does not mean that all Linux cores will be affected from 11 to 16, depending on system conditions)

Experimental steps

This experiment first analyzes its principle, then uses the POC to verify the vulnerability

Step 1: Analyze the vulnerability

This step will analyze the principle of its vulnerability

t_rx_ring option is selected, packet_set_ring () calls the setsockopt () function, as follows:

switch  (po->tp_version)  {                                      case TPACKET_V3:                                              /*  Transmit path is not supported. We checked                               * it above but just being paranoid                               */                          if  (!tx_ring)                                    INIT_PRB_BDQC (po, rb,  Pg_vec, req_u);                                                    break;                                       default:                                                      break;}

As you can see in the code above, if the socket version is Tpacket_v3, a Timer_list object will be initialized by Packet_set_ring () when the INIT_PRB_BDQC () is called.

The procedure for the above functions is as follows:

Packet_set_ring ()->INIT_PRB_BDQC ()->prb_setup_retire_blk_timer ()->prb_init_blk_timer ()->prb_init_ Blk_timer ()->init_timer ()

When the socket is closed, packet_set_ring () is called again, and if Packet's version > Tpacket_v2, the previously initialized timer is freed and deleted:

 if  (closing &&  (po->tp_version >  TPACKET_V2))  {                                                 /* because  we don ' t support block-based v3 on tx-ring */                          if  (!tx_ring)                          prb_shutdown_retire_blk_timer (po, rb_ queue);         } 

When the packet version is TPACKET_V1, INIT_PRB_BDQC () will be executed after packet_setsockopt () and returned before the packet_set_ring () function.

After the ring buffer is initialized, you can try to reject the change of the socket version. However, such a check is not complete.

Case Packet_version: {... if (Po->rx_ring.pg_vec | | po->tx_ring.pg_vec) Return-ebusy;

The call between INIT_PRB_BDQC () and swap (Rb->pg_vec, Pg_vec) in packet_set_ring () has enough space to compete for this code path

When the socket is closed, packet_set_ring () will not remove the timer, so the socket version for the tpacket_v1,timer_list struct describes the timer object positioned in the internal packet_sock structure, and the socket will call Kfree () Release.

We can implement different poisoning attacks on the slab allocator using the Timer object via UAF, which will eventually cause the timer to expire when the kernel jumps to the handler function.

New Af_packe socket you need to Cap_net_raw in your network namespace, however the non-privileged processes in the system can get this capability (Ubuntu, fedora, etc.) in the namespace, this vulnerability can be triggered within the container, thus invading the entire host kernel. On Android, a Gid=3004/aid_net_raw process can create a new af_packet socket (mediaserver), triggering the vulnerability.

Using POC validation vulnerabilities

Uname-a viewing the System kernel version

ID View User Properties

Test

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M00/8B/A8/wKioL1hUA9zRfckQAAAnObPGFwE267.png-wh_500x0-wm_3 -wmp_4-s_3160774965.png "title=" 1.png "alt=" Wkiol1hua9zrfckqaaanobpgfwe267.png-wh_50 "/>

This article is from the "12377962" blog, please be sure to keep this source http://12387962.blog.51cto.com/12377962/1883584

Linux kernel Extraction Vulnerability (cve-2016-8655)