cbcvebase.
CVE-2016-4557
published 2016-05-23

CVE-2016-4557: The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which…

PriorityP258high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.20%
95.1th percentile
The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 4.5.3-1 (bookworm)linux 4.5.3-1 (bookworm)
linuxlinux_kernel>= 0 < 4.5.3-14.5.3-1
linuxlinux_kernel>= 0 < 4.5.3-14.5.3-1
linuxlinux_kernel>= 0 < 4.5.3-14.5.3-1
linuxlinux_kernel>= 0 < 4.5.3-14.5.3-1
linuxlinux_kernel>= 0 < 4.4.0-22.394.4.0-22.39
linuxlinux_kernel>= 4.4 < 4.4.114.4.11
linuxlinux_kernel>= 4.5 < 4.5.54.5.5

Detection & IOCsextracted from sources · hover to see the quote

hashbbed2f81104b5eb4a8475deff73b29a350dc8b0f96dcc4987d0112b993675271
path/etc/crontab
filenamedoubleput
filenamesuidhelper
path/tmp/fuse_mount
yara
rule Linux_Exploit_CVE_2016_4557_b7e15f5e {
    meta:
        author = "Elastic Security"
        id = "b7e15f5e-73d2-4718-8fac-e6a285b0c73c"
        fingerprint = "14baf456521fd7357a70ddde9da11f27d17a45d7d12c70a0101d6bdc45e30c74"
        creation_date = "2022-01-05"
        last_modified = "2022-01-26"
        threat_name = "Linux.Exploit.CVE-2016-4557"
        reference_sample = "bbed2f81104b5eb4a8475deff73b29a350dc8b0f96dcc4987d0112b993675271"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { 2E 20 69 66 20 74 68 69 73 20 77 6F 72 6B 65 64 2C 20 79 6F }
    condition:
        all of them
}
bytes
2E 20 69 66 20 74 68 69 73 20 77 6F 72 6B 65 64 2C 20 79 6F
  • Detect exploit execution by monitoring for a process named 'doubleput' spawning child processes or writing to /etc/crontab, combined with use of the bpf() syscall (syscall number 321 on x86_64, 357 on x86) with BPF_PROG_LOAD command from an unprivileged user.
  • Alert on unprivileged processes invoking bpf() syscall (NR 321 on x86_64) when CONFIG_BPF_SYSCALL=y and kernel.unprivileged_bpf_disabled != 1; this is the prerequisite condition for exploitation.
  • Monitor for FUSE filesystem mounts (/tmp/fuse_mount or similar) by unprivileged users immediately followed by writev() calls and bpf() syscall activity — this FUSE-based timing technique is a key exploit primitive.
  • Detect use of kcmp() syscall with KCMP_FILE argument by unprivileged processes, which the exploit uses to confirm struct file address reuse after the use-after-free.
  • Hunt for the exploit's crontab payload pattern: lines matching '* * * * * root /bin/chown root:root ... suidhelper; /bin/chmod 06755 ... suidhelper' written to /etc/crontab.
  • Scan files and memory for the Elastic YARA rule byte signature { 2E 20 69 66 20 74 68 69 73 20 77 6F 72 6B 65 64 2C 20 79 6F } (ASCII: '. if this worked, yo') which is present in known exploit binaries.
  • Flag presence of both 'doubleput' and 'suidhelper' binaries in writable directories (e.g. /tmp), as the Metasploit module drops pre-compiled versions with the hardcoded payload path '/tmp/AyDJSaMM'.
  • ·Exploitation requires CONFIG_BPF_SYSCALL=y in the kernel build config. Systems without this option are not vulnerable.
  • ·Setting the sysctl kernel.unprivileged_bpf_disabled=1 at runtime blocks unprivileged use of bpf() and prevents exploitation without a kernel patch.
  • ·The exploit requires FUSE to be installed on the target system; absence of fuse/libfuse-dev will cause exploitation to fail.
  • ·Red Hat Enterprise Linux 5, 6, 7 and MRG 2 are not affected as they ship kernels without the vulnerable BPF code path.
  • ·The Metasploit module's cron-based persistence writes to /etc/crontab and must be manually removed after exploitation; automated cleanup is not performed.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.