Linux kernel - exploit.company

vendor:

Linux Kernel

by:

Qian Zhang

7.8

CVSS

HIGH

Local Privilege Escalation

269

CWE

Product Name: Linux Kernel

Affected Version From: Linux kernel <= 4.6.2

Affected Version To: Linux kernel <= 4.6.2

Patch Exists: YES

Related CWE: CVE-2016-4997

CPE: o:linux:linux_kernel

Metasploit: https://www.rapid7.com/db/vulnerabilities/ubuntu-usn-3338-2/, https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2016-4997/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2016-4997/, https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2016-4997/, https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp1-cve-2016-4997/, https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2016-4997/, https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2016-4997/, https://www.rapid7.com/db/vulnerabilities/debian-cve-2016-4997/, https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2016-4997/

Other Scripts:

Platforms Tested: Ubuntu 16.04.1 LTS Linux 4.4.0-21-generic

2016

Linux kernel <= 4.6.2 - Local Privileges Escalation via IP6T_SO_SET_REPLACE compat setsockopt call

The IPv6 netfilter subsystem in the Linux kernel through 4.6.2 does not validate certain offset fields, which allows local users to escalate privileges via an IP6T_SO_SET_REPLACE compat setsockopt call with ip6_tables module loaded.

Mitigation:

Apply the patch provided by the vendor.

Source

Exploit-DB raw data:

# Exploit Title: Linux kernel <= 4.6.2 - Local Privileges Escalation via IP6T_SO_SET_REPLACE compat setsockopt call
# Date: 2016.10.8
# Exploit Author: Qian Zhang@MarvelTeam Qihoo 360
# Version: Linux kernel <= 4.6.2
# Tested on: Ubuntu 16.04.1 LTS Linux 4.4.0-21-generic
# CVE: CVE-2016-4997
# Reference:http://www.openwall.com/lists/oss-security/2016/09/29/10
# Contact: tyrande000@gmail.com

#DESCRIPTION
#===========
#The IPv6 netfilter subsystem in the Linux kernel through 4.6.2 does not validate certain offset fields,
#which allows local users to escalade privileges via an IP6T_SO_SET_REPLACE compat setsockopt call with ip6_tables module loaded.

zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ls
compile.sh  enjoy  enjoy.c  pwn  pwn.c  version.h
zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ sudo modprobe ip6_tables
[sudo] password for zhang_q: 
zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ./pwn 
pwn begin, let the bullets fly . . .
and wait for a minute . . .
pwn over, let's enjoy!
preparing payload . . .
trigger modified tty_release . . .
got root, enjoy :)
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# 
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# hostnamectl 
   Static hostname: ubuntu
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 355cdf4ce8a048288640c2aa933c018f
    Virtualization: vmware
  Operating System: Ubuntu 16.04.1 LTS
            Kernel: Linux 4.4.0-21-generic
      Architecture: x86-64
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# 


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40489.zip