cbcvebase.
CVE-2016-8655
published 2016-12-08

CVE-2016-8655: Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free)…

PriorityP357high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.13%
95.4th percentile
Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.

Affected

49 ranges· showing 25
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debianlinux< linux 4.8.15-1 (bookworm)linux 4.8.15-1 (bookworm)
debianlinux< linux 4.12.6-1 (bookworm)linux 4.12.6-1 (bookworm)
googleandroid
linuxlinux_kernel>= 0 < 4.8.15-14.8.15-1
linuxlinux_kernel>= 0 < 4.12.6-14.12.6-1
linuxlinux_kernel>= 0 < 4.8.15-14.8.15-1
linuxlinux_kernel>= 0 < 4.12.6-14.12.6-1
linuxlinux_kernel>= 0 < 4.8.15-14.8.15-1
linuxlinux_kernel>= 0 < 4.12.6-14.12.6-1
linuxlinux_kernel>= 0 < 4.8.15-14.8.15-1
linuxlinux_kernel>= 0 < 4.12.6-14.12.6-1
linuxlinux_kernel>= 2.6.27 < 3.2.923.2.92
linuxlinux_kernel>= 3.11 < 3.12.693.12.69
linuxlinux_kernel>= 3.11 < 3.16.473.16.47
linuxlinux_kernel>= 3.13 < 3.16.403.16.40
linuxlinux_kernel>= 3.17 < 3.18.463.18.46
linuxlinux_kernel>= 3.17 < 3.18.653.18.65
linuxlinux_kernel>= 3.19 < 4.1.374.1.37
linuxlinux_kernel>= 3.19 < 4.1.444.1.44

Detection & IOCsextracted from sources · hover to see the quote

filenamechocobo_root.c
filenamedota3.tar.gz
path/tmp/.X19-unix
path/tmp/.X19-unix/.rsync/c/tsm
path/tmp/up.txt
hash2e2c9d08c7c955f6ce5e27e70b0ec78a888c276d71a72daa0ef9e3e40f019a1a
hash0c458dfe0a2a01ab300c857fdc3373b75fbb8ccfa23d16eff0d6ab888a1a28f6
hash93ce211a71867017723cd78969aa4cac9d21c3d8f72c96ee3e1b2712c0eea494
commandecho "root:TXhf4ICTayIh"|chpasswd|bash
commandgcc chocobo_root.c -o chocobo_root -lpthread
path/var/tmp/dota3.tar.gz
urlhttp://seclists.org/oss-sec/2016/q4/att-621/chocobo_root_c.bin
urlhttps://github.com/bcoles/kernel-exploits/blob/master/CVE-2016-8655/chocobo_root.c
  • Detect exploitation attempts by monitoring for concurrent setsockopt calls on AF_PACKET sockets toggling TPACKET version (PACKET_RX_RING / packet_set_ring race) from the same process, especially from unprivileged user namespaces.
  • Alert on processes spawning AF_PACKET SOCK_RAW sockets from unprivileged user namespaces (CONFIG_USER_NS enabled); this is a prerequisite for CVE-2016-8655 exploitation without CAP_NET_RAW.
  • Flag kernel version strings matching 4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic on x86_64 as vulnerable targets for CVE-2016-8655.
  • Detect the Outlaw dropper script pattern: creation of hidden directories /tmp/.X19-unix, /tmp/.X13-unix, /tmp/.X17-unix and extraction of dota3.tar.gz in /var/tmp or /tmp.
  • Detect tsm binary executing with specific argument pattern (-t 150 -S 6 -s 6 -p 22) from hidden /tmp/.X19-unix/.rsync/c/ path, indicative of Outlaw SSH scanner post-exploitation.
  • Monitor for the exploit writing to the vsyscall page (0xffffffffff600000) to make it writable as part of the chocobo_root privilege escalation chain.
  • Detect the race-win indicator string in process output or logs: '*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*' which signals successful exploitation.
  • Block or alert on syscalls socket(AF_PACKET, SOCK_RAW, ...) combined with setsockopt PACKET_RX_RING and PACKET_VERSION from containers or unprivileged namespaces using Seccomp policy.
  • ·Exploitation requires unprivileged user namespaces to be enabled (CONFIG_USER_NS=y) and accessible to unprivileged users; disabling this kernel feature prevents exploitation without CAP_NET_RAW.
  • ·The exploit requires at least 2 CPU cores to win the race condition; single-core systems are not exploitable via this technique.
  • ·SMAP must be disabled for the chocobo_root exploit to succeed; SMEP and KASLR bypasses are included but SMAP is a hard blocker.
  • ·The exploit specifically targets Ubuntu (Trusty/Xenial) kernels 4.4.0 < 4.4.0-53; the patch was applied in version 4.4.0-53.74. Other distributions may be affected but are untested.
  • ·Failed exploitation may crash the kernel; defenders should treat unexpected kernel panics on vulnerable kernel versions as a possible exploitation indicator.
  • ·The exploit drops files to a writable directory (default /tmp); restricting noexec on /tmp and /var/tmp can impede post-exploitation payload execution.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.