Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday May 15 2017, @08:42AM   Printer-friendly

Submitted via IRC for TheMightyBuzzard

Lately I've been spending some time fuzzing network-related Linux kernel interfaces with syzkaller. Besides the recently discovered vulnerability in DCCP sockets, I also found another one, this time in packet sockets. This post describes how the bug was discovered and how we can exploit it to escalate privileges.

The bug itself (CVE-2017-7308) is a signedness issue, which leads to an exploitable heap-out-of-bounds write. It can be triggered by providing specific parameters to the PACKET_RX_RING option on an AF_PACKET socket with a TPACKET_V3 ring buffer version enabled. As a result the following sanity check in the packet_set_ring() function in net/packet/af_packet.c can be bypassed, which later leads to an out-of-bounds access.

[..] The bug affects a kernel if it has AF_PACKET sockets enabled (CONFIG_PACKET=y), which is the case for many Linux kernel distributions. Exploitation requires the CAP_NET_RAW privilege to be able to create such sockets. However it's possible to do that from a user namespace if they are enabled (CONFIG_USER_NS=y) and accessible to unprivileged users.

Since packet sockets are a quite widely used kernel feature, this vulnerability affects a number of popular Linux kernel distributions including Ubuntu and Android. It should be noted, that access to AF_PACKET sockets is expressly disallowed to any untrusted code within Android, although it is available to some privileged components. Updated Ubuntu kernels are already out, Android's update is scheduled for July.

Source: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday May 15 2017, @07:30PM

    by Anonymous Coward on Monday May 15 2017, @07:30PM (#510195)

    I felt "clean"(or isolated) on linux ... until it made a network connection.
    After that i felt midly supperior. Later i understood that my history teachet had no clue and that wikipedia knew all along that there was a cheap way to "extend" the memory over many computerz.
    Theres no big difference between a local socket and tcp/ip socket.
    The os was born from the need to tie many cpus together at the time and survives to this day.
    Theres no interface in linux to easily abstract an alternative network protocol onto ... whatever physical layer is available.
    Tcp/ip is like a atery and unix sockets are like veins in the *nix body. Smart but ...
    Nobody is going to care, because it is still infinetly mor profitable then winblows, because free and scalable acrosd many pockets of android phonez