CVE-2016-4557
published 2016-05-23CVE-2016-4557: The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which…
PriorityP258high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.20%
95.1th percentile
The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 4.5.3-1 (bookworm) | linux 4.5.3-1 (bookworm) |
| linux | linux_kernel | >= 0 < 4.5.3-1 | 4.5.3-1 |
| linux | linux_kernel | >= 0 < 4.5.3-1 | 4.5.3-1 |
| linux | linux_kernel | >= 0 < 4.5.3-1 | 4.5.3-1 |
| linux | linux_kernel | >= 0 < 4.5.3-1 | 4.5.3-1 |
| linux | linux_kernel | >= 0 < 4.4.0-22.39 | 4.4.0-22.39 |
| linux | linux_kernel | >= 4.4 < 4.4.11 | 4.4.11 |
| linux | linux_kernel | >= 4.5 < 4.5.5 | 4.5.5 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
rule Linux_Exploit_CVE_2016_4557_b7e15f5e {
meta:
author = "Elastic Security"
id = "b7e15f5e-73d2-4718-8fac-e6a285b0c73c"
fingerprint = "14baf456521fd7357a70ddde9da11f27d17a45d7d12c70a0101d6bdc45e30c74"
creation_date = "2022-01-05"
last_modified = "2022-01-26"
threat_name = "Linux.Exploit.CVE-2016-4557"
reference_sample = "bbed2f81104b5eb4a8475deff73b29a350dc8b0f96dcc4987d0112b993675271"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 2E 20 69 66 20 74 68 69 73 20 77 6F 72 6B 65 64 2C 20 79 6F }
condition:
all of them
}bytes↗
2E 20 69 66 20 74 68 69 73 20 77 6F 72 6B 65 64 2C 20 79 6F
- →Detect exploit execution by monitoring for a process named 'doubleput' spawning child processes or writing to /etc/crontab, combined with use of the bpf() syscall (syscall number 321 on x86_64, 357 on x86) with BPF_PROG_LOAD command from an unprivileged user. ↗
- →Alert on unprivileged processes invoking bpf() syscall (NR 321 on x86_64) when CONFIG_BPF_SYSCALL=y and kernel.unprivileged_bpf_disabled != 1; this is the prerequisite condition for exploitation. ↗
- →Monitor for FUSE filesystem mounts (/tmp/fuse_mount or similar) by unprivileged users immediately followed by writev() calls and bpf() syscall activity — this FUSE-based timing technique is a key exploit primitive. ↗
- →Detect use of kcmp() syscall with KCMP_FILE argument by unprivileged processes, which the exploit uses to confirm struct file address reuse after the use-after-free. ↗
- →Hunt for the exploit's crontab payload pattern: lines matching '* * * * * root /bin/chown root:root ... suidhelper; /bin/chmod 06755 ... suidhelper' written to /etc/crontab. ↗
- →Scan files and memory for the Elastic YARA rule byte signature { 2E 20 69 66 20 74 68 69 73 20 77 6F 72 6B 65 64 2C 20 79 6F } (ASCII: '. if this worked, yo') which is present in known exploit binaries. ↗
- →Flag presence of both 'doubleput' and 'suidhelper' binaries in writable directories (e.g. /tmp), as the Metasploit module drops pre-compiled versions with the hardcoded payload path '/tmp/AyDJSaMM'. ↗
- ·Exploitation requires CONFIG_BPF_SYSCALL=y in the kernel build config. Systems without this option are not vulnerable. ↗
- ·Setting the sysctl kernel.unprivileged_bpf_disabled=1 at runtime blocks unprivileged use of bpf() and prevents exploitation without a kernel patch. ↗
- ·The exploit requires FUSE to be installed on the target system; absence of fuse/libfuse-dev will cause exploitation to fail. ↗
- ·Red Hat Enterprise Linux 5, 6, 7 and MRG 2 are not affected as they ship kernels without the vulnerable BPF code path. ↗
- ·The Metasploit module's cron-based persistence writes to /etc/crontab and must be manually removed after exploitation; automated cleanup is not performed. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel (Xenial HWE) vulnerabilities
vendor_ubuntu·2016-05-06·CVSS 4.6
CVE-2016-2184 [MEDIUM] Linux kernel (Xenial HWE) vulnerabilities
Title: Linux kernel (Xenial HWE) vulnerabilities
Summary: Several security issues were fixed in the kernel.
USN-2965-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Jann Horn discovered that the extended Berkeley Packet Filter (eBPF)
implementation in the Linux kernel did not properly reference count file
descriptors, leading to a use-after-free. A local unprivileged attacker
could use this to gain administrative privileges. (CVE-2016-4557)
Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel
did not properly validate USB device descriptors. An attacker with physical
access could use this to cause a denial of
Ubuntu
Linux kernel (Qualcomm Snapdragon) vulnerability
vendor_ubuntu·2016-05-06·CVSS 4.6
CVE-2016-4557 [MEDIUM] Linux kernel (Qualcomm Snapdragon) vulnerability
Title: Linux kernel (Qualcomm Snapdragon) vulnerability
Summary: Several security issues were fixed in the kernel.
Jann Horn discovered that the extended Berkeley Packet Filter (eBPF)
implementation in the Linux kernel did not properly reference count file
descriptors, leading to a use-after-free. A local unprivileged attacker
could use this to gain administrative privileges.
Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel
did not properly validate USB device descriptors. An attacker with physical
access could use this to cause a denial of service (system crash).
(CVE-2016-2184)
Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the
Linux kernel did not properly validate USB device descriptors. An attacker
with physical access could use t
Ubuntu
Linux kernel (Raspberry Pi 2) vulnerabilities
vendor_ubuntu·2016-05-06·CVSS 4.6
CVE-2016-2184 [MEDIUM] Linux kernel (Raspberry Pi 2) vulnerabilities
Title: Linux kernel (Raspberry Pi 2) vulnerabilities
Summary: Several security issues were fixed in the kernel.
Jann Horn discovered that the extended Berkeley Packet Filter (eBPF)
implementation in the Linux kernel did not properly reference count file
descriptors, leading to a use-after-free. A local unprivileged attacker
could use this to gain administrative privileges. (CVE-2016-4557)
Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel
did not properly validate USB device descriptors. An attacker with physical
access could use this to cause a denial of service (system crash).
(CVE-2016-2184)
Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the
Linux kernel did not properly validate USB device descriptors. An attacker
with physical acces
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2016-05-06·CVSS 4.6
CVE-2016-2184 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the kernel.
Jann Horn discovered that the extended Berkeley Packet Filter (eBPF)
implementation in the Linux kernel did not properly reference count file
descriptors, leading to a use-after-free. A local unprivileged attacker
could use this to gain administrative privileges. (CVE-2016-4557)
Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel
did not properly validate USB device descriptors. An attacker with physical
access could use this to cause a denial of service (system crash).
(CVE-2016-2184)
Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the
Linux kernel did not properly validate USB device descriptors. An attacker
with physical access could use this
Red Hat
kernel: Use after free vulnerability via double fdput
vendor_redhat·2016-04-26·CVSS 7.8
CVE-2016-4557 [HIGH] CWE-416 kernel: Use after free vulnerability via double fdput
kernel: Use after free vulnerability via double fdput
The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.
Statement: This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.
Package: kernel (Red Hat Enterprise Linux 5) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Not affected
Package: realtime-kernel (Red Hat Enterprise MRG
Debian
CVE-2016-4557: linux - The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux k...
vendor_debian·2016·CVSS 7.8
CVE-2016-4557 [HIGH] CVE-2016-4557: linux - The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux k...
The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.
Scope: local
bookworm: resolved (fixed in 4.5.3-1)
bullseye: resolved (fixed in 4.5.3-1)
forky: resolved (fixed in 4.5.3-1)
sid: resolved (fixed in 4.5.3-1)
trixie: resolved (fixed in 4.5.3-1)
GHSA
GHSA-3wq8-wfw2-w4xm: The replace_map_fd_with_map_ptr function in kernel/bpf/verifier
ghsa_unreviewed·2022-05-17
CVE-2016-4557 [HIGH] GHSA-3wq8-wfw2-w4xm: The replace_map_fd_with_map_ptr function in kernel/bpf/verifier
The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.
OSV
CVE-2016-4557: The replace_map_fd_with_map_ptr function in kernel/bpf/verifier
osv·2016-05-23·CVSS 7.8
CVE-2016-4557 [HIGH] CVE-2016-4557: The replace_map_fd_with_map_ptr function in kernel/bpf/verifier
The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.
OSV
linux vulnerabilities
osv·2016-05-06·CVSS 4.6
CVE-2016-4557 [MEDIUM] linux vulnerabilities
linux vulnerabilities
Jann Horn discovered that the extended Berkeley Packet Filter (eBPF)
implementation in the Linux kernel did not properly reference count file
descriptors, leading to a use-after-free. A local unprivileged attacker
could use this to gain administrative privileges. (CVE-2016-4557)
Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel
did not properly validate USB device descriptors. An attacker with physical
access could use this to cause a denial of service (system crash).
(CVE-2016-2184)
Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the
Linux kernel did not properly validate USB device descriptors. An attacker
with physical access could use this to cause a denial of service (system
crash). (CVE-2016-2185)
Ralf Spenneb
OSV
linux-lts-xenial vulnerabilities
osv·2016-05-06·CVSS 4.6
[MEDIUM] linux-lts-xenial vulnerabilities
linux-lts-xenial vulnerabilities
USN-2965-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Jann Horn discovered that the extended Berkeley Packet Filter (eBPF)
implementation in the Linux kernel did not properly reference count file
descriptors, leading to a use-after-free. A local unprivileged attacker
could use this to gain administrative privileges. (CVE-2016-4557)
Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel
did not properly validate USB device descriptors. An attacker with physical
access could use this to cause a denial of service (system crash).
(CVE-2016-2184)
Ralf Spenneberg discovered that the
OSV
linux-raspi2 vulnerabilities
osv·2016-05-06·CVSS 4.6
CVE-2016-4557 [MEDIUM] linux-raspi2 vulnerabilities
linux-raspi2 vulnerabilities
Jann Horn discovered that the extended Berkeley Packet Filter (eBPF)
implementation in the Linux kernel did not properly reference count file
descriptors, leading to a use-after-free. A local unprivileged attacker
could use this to gain administrative privileges. (CVE-2016-4557)
Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel
did not properly validate USB device descriptors. An attacker with physical
access could use this to cause a denial of service (system crash).
(CVE-2016-2184)
Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the
Linux kernel did not properly validate USB device descriptors. An attacker
with physical access could use this to cause a denial of service (system
crash). (CVE-2016-2185)
Ralf
Exploit-DB
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit)
exploitdb·2016-11-14
CVE-2016-4557 Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit)
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule 'Linux BPF Local Privilege Escalation',
'Description' => %q{
Linux kernel >=4.4 with CONFIG_BPF_SYSCALL and kernel.unprivileged_bpf_disabled
sysctl is not set to 1, BPF can be abused to priv escalate.
Ubuntu 16.04 has all of these conditions met.
},
'License' => MSF_LICENSE,
'Author' =>
[
'[email protected]', # discovery
'h00die ' # metasploit module
],
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'References' =>
[
[ 'CVE', '2016-4557' ],
[ 'EDB', '39772' ],
[ 'URL
Exploit-DB
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation
exploitdb·2016-05-04
CVE-2016-4557 Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.
When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
This is done as follows:
/* look for pseudo eBPF instructions t
Metasploit
Linux BPF doubleput UAF Privilege Escalation
metasploit
Linux BPF doubleput UAF Privilege Escalation
Linux BPF doubleput UAF Privilege Escalation
Linux kernel 4.4 < 4.5.5 extended Berkeley Packet Filter (eBPF) does not properly reference count file descriptors, resulting in a use-after-free, which can be abused to escalate privileges. The target system must be compiled with `CONFIG_BPF_SYSCALL` and must not have `kernel.unprivileged_bpf_disabled` set to 1. Note, this module will overwrite the first few lines of `/etc/crontab` with a new cron job. The job will need to be manually removed. This module has been tested successfully on Ubuntu 16.04 (x64) kernel 4.4.0-21-generic (default kernel).
arXiv
KernJC: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities
arxiv_fulltext·2024-09-24
KernJC: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities
: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities
Bonan Ruan
National University of Singapore
Jiahao Liu
National University of Singapore
Chuqi Zhang
National University of Singapore
Zhenkai Liang
National University of Singapore
## Abstract
Linux kernel vulnerability reproduction is a critical task in system security.
To reproduce a kernel vulnerability, the vulnerable environment and the Proof of Concept (PoC) program are needed.
Most existing research focuses on the generation of PoC, while the construction of environment is overlooked.
However, establishing an effective vulnerable environment to trigger a vulnerability is challenging.
Firstly, it is hard to guarantee that the selected kernel version for reproduction is vulnerable, as the vulner
Bugzilla
CVE-2016-4557 kernel: Use after free vulnerability via double fdput
bugzilla·2016-05-09·CVSS 7.8
CVE-2016-4557 [HIGH] CVE-2016-4557 kernel: Use after free vulnerability via double fdput
CVE-2016-4557 kernel: Use after free vulnerability via double fdput
A use after free vulnerability was found in kernel which allows privilege escalation for users with a local account on the system. When a program was loaded with a bpf program an attacker could exploit this to gain root privileges by an unprivileged user.
When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode references a non-map file descriptor as a map file descriptor, the error handling code called fdput() twice instead of once (in __bpf_map_get() and in replace_map_fd_with_map_ptr()). If the file descriptor table of the current task is shared, this causes f_count to be decremented too much, allowing the struct file to be freed while it is still in use (use-after-free).
Bug was introduced in 0246
Bugzilla
CVE-2016-4557 CVE-2016-4558 kernel: various flaws [fedora-all]
bugzilla·2016-05-09·CVSS 7.8
CVE-2016-4557 [HIGH] CVE-2016-4557 CVE-2016-4558 kernel: various flaws [fedora-all]
CVE-2016-4557 CVE-2016-4558 kernel: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While o
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.htmlhttp://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5http://www.openwall.com/lists/oss-security/2016/05/06/4https://bugs.chromium.org/p/project-zero/issues/detail?id=808https://bugs.debian.org/823603https://bugzilla.redhat.com/show_bug.cgi?id=1334307https://github.com/torvalds/linux/commit/8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7https://www.exploit-db.com/exploits/40759/http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.htmlhttp://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5http://www.openwall.com/lists/oss-security/2016/05/06/4https://bugs.chromium.org/p/project-zero/issues/detail?id=808https://bugs.debian.org/823603https://bugzilla.redhat.com/show_bug.cgi?id=1334307https://github.com/torvalds/linux/commit/8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7https://www.exploit-db.com/exploits/40759/
2016-05-23
Published