CVE-2016-8655 Ubuntu Security Notification for Linux Vulnerability (USN-3150-1)

漏洞类别:Ubuntu

漏洞等级:

漏洞信息

A race condition in the af_packet implementation in the Linux kernel.

漏洞危害

A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.

0day

CVE-2016-8655 Ubuntu Security Notification for Linux Vulnerability (USN-3149-1)

漏洞类别:Ubuntu

漏洞等级:

漏洞信息

A race condition in the af_packet implementation in the Linux kernel.

漏洞危害

A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges.

0day

CVE-2016-5198 Ubuntu Security Notification for Oxide-qt Vulnerabilities (USN-3133-1)

漏洞类别:Ubuntu

漏洞等级:

漏洞信息

Multiple security vulnerabilities were discovered in Chromium.

A heap-corruption issue was discovered in FFmpeg.

漏洞危害

If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to obtain sensitive information, cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5198, CVE-2016-5200, CVE-2016-5202)

If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5199)

解决方案

Refer to Ubuntu advisory USN-3133-1 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

USN-3133-1: 14.04 (Kylin) on src (liboxideqtcore0)

USN-3133-1: 16.10 (Yakkety) on src (liboxideqtcore0)

USN-3133-1: 16.04 (Xenial) on src (liboxideqtcore0)

0day

【漏洞预警】CVE-2016-8655:Linux内核通杀提权漏洞

2016-12-07 10:40:16 来源:安全客 作者:adlab_mickey
阅读:2512次 点赞(1) 收藏(8)


http://p7.qhimg.com/t01fda6f78edcd5e200.png

漏洞发现人:Philip Pettersson

漏洞编号:CVE-2016-8655

漏洞危害:高危,低权限用户利用该漏洞可以在Linux系统上实现本地提权。

影响范围:Linux内核(2011年4月19日发行)开始就受影响了,直到2016年11月30日修复。

漏洞描述


Philip Pettersson在Linux (net/packet/af_packet.c)发现条件竞争漏洞,可以通过内核代码进行权限提升。

这个bug最早出现于2011年4月19号的代码中,详细请参考:

https://github.com/torvalds/linux/commit/f6fb8f100b807378fda19e83e5ac6828b638603a

它于2016年11月30号被修复,详细请参考:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c

漏洞细节


新建AF_PACKE套接字你需要CAP_NET_RAW在你的网络命名空间 ,然而系统中非权限的进程在非权限的命名空间可以获得这个能力(Ubuntu, Fedora等发行版),这个漏洞可以在容器内触发,从而入侵整个主机内核。在android上,有 gid=3004/AID_NET_RAW的进程可以新建AF_PACKET套接字 (mediaserver),从而触发这个漏洞。

问题出在inside packet_set_ring() 和 packet_setsockopt()函数中,我们可以看到当套接字使用PACKET_RX_RING选项时候,packet_set_ring()会调用setsockopt()函数。

如果套接字的版本是TPACKET_V3,一个 timer_list对象将会在init_prb_bdqc()调用时被 packet_set_ring()初始化。

1
2
3
4
5
6
7
8
9
10
11
switch (po->tp_version) {
                case TPACKET_V3:
                /* Transmit path is not supported. We checked
                 * it above but just being paranoid
                 */
                        if (!tx_ring)
                                init_prb_bdqc(po, rb, pg_vec, req_u);
                        break;
                default:
                        break;
                }

函数的流程如下:

1
packet_set_ring()->init_prb_bdqc()->prb_setup_retire_blk_timer()->prb_init_blk_timer()->prb_init_blk_timer()->init_timer()

当套接字关闭,packet_set_ring()会再次被调用,如果packet的版本> TPACKET_V2,会释放和删除先前初始化的定时器。

1
2
3
4
5
 if (closing && (po->tp_version > TPACKET_V2)) {
                /* Because we don't support block-based V3 on tx-ring */
                if (!tx_ring)
                        prb_shutdown_retire_blk_timer(po, rb_queue);
        }

当packet版本为TPACKET_V1时,init_prb_bdqc()将会在packet_setsockopt()后被执行,在packet_set_ring() 函数前返回。

ring buffer被初始化后,可以尝试拒绝改变套接字版本。但是这样的校验是不完整的。

1
2
3
4
5
case PACKET_VERSION:
        {
...
          if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
                  return -EBUSY;

在 packet_set_ring()中init_prb_bdqc() 和  swap(rb->pg_vec, pg_vec) 之间的调用有足够的空间来竞争这条代码路径

当套接字关闭,packet_set_ring()将不会删除定时器,因此这时套接字的版本为TPACKET_V1,timer_list 结构体描述定时器对象定位在内部的packet_sock结构体中,套接字将调用kfree()释放。

我们可以在通过UAF利用定时器对象上对SLAB分配器实现不同的中毒攻击(我发现add_key()是最可靠的),这最终会导致当定时器过期内核跳到处理函数。

通过在packet_setsockopt()中使用lock_sock(sk)来修复这个bug,同时锁定packet版本。

漏洞验证


稍后更新

POC


稍后更新

相关链接


http://seclists.org/oss-sec/2016/q4/607

http://malwarejake.blogspot.com/2016/12/new-linux-privilege-escalation.html

https://security-tracker.debian.org/tracker/CVE-2016-8655

https://github.com/torvalds/linux/commit/f6fb8f100b807378fda19e83e5ac6828b638603a

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655

https://www.ubuntu.com/usn/usn-3151-1/


本文由 安全客 原创发布,如需转载请注明来源及本文地址。
本文地址:http://bobao.360.cn/learning/detail/3267.html0day

CVE-2016-9079 Mozilla Firefox SVG Animation Remote Code Execution Vulnerability (MFSA2016-92)

漏洞类别:Local

漏洞等级:

漏洞信息

Firefox is a free and open-source web browser developed for Windows, OS X, and Linux.

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. Affected Versions :
Firefox prior to 50.0.2 Firefox prior to ESR 45.5.1 Thunderbird prior to 45.5.1

漏洞危害

A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

解决方案

The vendor has released advisories and updates to fix these vulnerabilities. Refer to Mozilla Security Advisories for more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

MFSA2016-92

0day

Eircom D1000 Router Remote Code Execution Vulnerability.

漏洞类别:CGI

漏洞等级:

漏洞信息

eir D1000 modem. Wireless N ADSL2+ 4-port Gateway.

The Eir D1000 Modem has bugs that allow an attacker to gain full control of the modem from the Internet.
The modem could then be used to hack into internal computers on the network, as a proxy host to hack other computers or even as a bot in a botnet.

Affected Version
Eir D1000 firmware versions up to 2.00(AADU.5)_20150909

漏洞危害

On successful exploitation an attacker can gain full control of the modem from the Internet.

解决方案

Upgrade to the latest packages which contain a patch.

Refer to German Telekom site here.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Eir

0day

CVE-2016-5290 Red Hat Update for thunderbird security (RHSA-2016:2825)

漏洞类别:RedHat

漏洞等级:

漏洞信息

Mozilla Thunderbird is a standalone mail and newsgroup client.

Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2016-5290)

漏洞危害

A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.

解决方案

Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

Refer to Red Hat security advisory RHSA-2016:2825 to address this issue and obtain more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

RHSA-2016:2825: Red Hat Enterprise Linux

0day

CVE-2016-0718 Red Hat Update for expat security (RHSA-2016:2824)

漏洞类别:RedHat

漏洞等级:

漏洞信息

Expat is a C library for parsing XML documents.

An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, possibly, execute arbitrary code with the permission of the user running the application. (CVE-2016-0718)

漏洞危害

On successful exploitation it would cause that application to crash or, possibly, execute arbitrary code with the permission of the user running the application.

解决方案

Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

Refer to Red Hat security advisory RHSA-2016:2824 to address this issue and obtain more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

RHSA-2016:2824: Red Hat Enterprise Linux

0day

CVE-2016-5697 Ruby Gem ruby-saml XML Signature Wrapping Vulnerability

漏洞类别:Local

漏洞等级:

漏洞信息

The Ruby SAML library is for implementing the client side of a SAML authorization, i.e. it provides a means for managing authorization initialization and confirmation requests from identity providers.

The ruby-saml gem is vulnerable to an XML signature wrapping attack in the specific scenario where there was a signature that referenced at the same time 2 elements (but past the scheme validator process since 1 of the element was inside the encrypted assertion).

Affected Versions:
ruby-saml prior to 1.3.0

漏洞危害

Successful exploitation allows an attacker to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks.

解决方案

Customers are advised to upgrade to ruby-saml 1.3.0 or later versions to remediate this vulnerability.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ruby-saml 1.3.0 or later

0day