CVE-2017-1000112
published 2017-10-05CVE-2017-1000112: Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls…
PriorityP352high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
EXPLOIT
EPSS
20.80%
97.2th percentile
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 4.12.6-1 (bookworm) | linux 4.12.6-1 (bookworm) |
| linux | linux_kernel | >= 0 < 4.12.6-1 | 4.12.6-1 |
| linux | linux_kernel | >= 0 < 4.12.6-1 | 4.12.6-1 |
| linux | linux_kernel | >= 0 < 4.12.6-1 | 4.12.6-1 |
| linux | linux_kernel | >= 0 < 4.12.6-1 | 4.12.6-1 |
| linux | linux_kernel | >= 0 < 3.13.0-128.177 | 3.13.0-128.177 |
| linux | linux_kernel | >= 0 < 4.4.0-91.114 | 4.4.0-91.114 |
| linux | linux_kernel | >= 2.6.15 < 3.10.108 | 3.10.108 |
| linux | linux_kernel | >= 3.11 < 3.16.47 | 3.16.47 |
| linux | linux_kernel | >= 3.17 < 3.18.65 | 3.18.65 |
| linux | linux_kernel | >= 3.19 < 4.4.82 | 4.4.82 |
| linux | linux_kernel | >= 4.10 < 4.12.7 | 4.12.7 |
| linux | linux_kernel | >= 4.5 < 4.9.43 | 4.9.43 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa↗
- →Exploit requires unprivileged user namespaces to be enabled; detect exploitation attempts by monitoring for unprivileged unshare(CLONE_NEWUSER) calls combined with raw UDP socket creation using MSG_MORE flag. ↗
- →Target systems are Ubuntu (Trusty/Xenial) kernels 4.4.0-21 through 4.4.0-89 and 4.8.0-34 through 4.8.0-58; alert on privilege escalation attempts on these specific kernel versions. ↗
- →Metasploit module drops exploit binary and payload into a writable directory (default /tmp) with random alphanumeric filenames prefixed with '.'; monitor for execution of hidden files from /tmp. ↗
- →Exploit uses ROP chain to disable SMEP by manipulating CR4 register; monitor for kernel ROP gadget patterns involving xchg eax,esp and mov cr4,rdi sequences in kernel crash dumps or live kernel integrity checks. ↗
- →Exploit calls commit_creds(prepare_kernel_cred(0)) to obtain root; monitor for unexpected credential changes (uid/gid transitions to 0) from non-root processes. ↗
- →Metasploit module compiles exploit on target using gcc; detect by monitoring for gcc invocations on files in /tmp or other writable directories shortly before privilege escalation. ↗
- →Check kernel version against vulnerable range using regex; kernel versions matching ^4\.4\.0-(21|22|24|28|31|34|36|38|42|45|47|51|53|57|59|62|63|64|66|67|70|71|72|75|78|79|81|83|87|89)-generic or ^4\.8\.0-(34|36|39|41|45|46|49|51|52|53|54|56|58)-generic are vulnerable. ↗
- ·Exploitation requires SMAP to be disabled on the target; systems with SMAP enabled are not vulnerable to this exploit variant. ↗
- ·Exploitation requires unprivileged user namespaces to be enabled; disabling them mitigates this vulnerability. ↗
- ·Failed exploitation may crash the kernel, making this a high-impact, noisy attack vector. ↗
- ·The exploit only supports x86_64 architecture; non-x86_64 systems are not affected by this exploit. ↗
- ·KASLR bypass is included in the exploit; KASLR alone does not prevent exploitation of this vulnerability. ↗
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_ubuntu7.8HIGH
vendor_debian7.0LOW
vendor_redhat7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel (Xenial HWE) vulnerabilities
vendor_ubuntu·2017-08-11·CVSS 7.8
CVE-2017-1000111 [HIGH] Linux kernel (Xenial HWE) vulnerabilities
Title: Linux kernel (Xenial HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3385-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use this to
cause a denial of service or execute arbitrary code. (CVE-2017-1000112)
Andrey Konovalov discovered a race condition in AF_PACKET socket option
handling code in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service or possibly execute arbitrary code.
(CVE-2017-1000111)
Instructions: A
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2017-08-11·CVSS 7.8
CVE-2017-1000111 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use this to
cause a denial of service or execute arbitrary code. (CVE-2017-1000112)
Andrey Konovalov discovered a race condition in AF_PACKET socket option
handling code in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service or possibly execute arbitrary code.
(CVE-2017-1000111)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recom
Ubuntu
Linux kernel (Trusty HWE) vulnerabilities
vendor_ubuntu·2017-08-11·CVSS 7.8
CVE-2017-1000111 [HIGH] Linux kernel (Trusty HWE) vulnerabilities
Title: Linux kernel (Trusty HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3386-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 ESM.
Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use this to
cause a denial of service or execute arbitrary code. (CVE-2017-1000112)
Andrey Konovalov discovered a race condition in AF_PACKET socket option
handling code in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service or possibly execute arbitrary code.
(CVE-2017-1000111)
Instructions: A
Ubuntu
Linux kernel (HWE) vulnerabilities
vendor_ubuntu·2017-08-11·CVSS 7.8
CVE-2017-1000111 [HIGH] Linux kernel (HWE) vulnerabilities
Title: Linux kernel (HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3384-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu
16.04 LTS.
Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use this to
cause a denial of service or execute arbitrary code. (CVE-2017-1000112)
Andrey Konovalov discovered a race condition in AF_PACKET socket option
handling code in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service or possibly execute arbitrary code.
(CVE-2017-1000111)
Instructions: After a standard
Red Hat
kernel: Exploitable memory corruption due to UFO to non-UFO path switch
vendor_redhat·2017-08-10·CVSS 7.0
CVE-2017-1000112 [HIGH] CWE-122 kernel: Exploitable memory corruption due to UFO to non-UFO path switch
kernel: Exploitable memory corruption due to UFO to non-UFO path switch
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv
Debian
CVE-2017-1000112: linux - Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. W...
vendor_debian·2017·CVSS 7.0
CVE-2017-1000112 [HIGH] CVE-2017-1000112: linux - Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. W...
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter
GHSA
GHSA-r7cm-47vv-77vj: Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch
ghsa_unreviewed·2022-05-14
CVE-2017-1000112 [HIGH] CWE-362 GHSA-r7cm-47vv-77vj: Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter
OSV
CVE-2017-1000112: Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch
osv·2017-10-05·CVSS 7.0
CVE-2017-1000112 [HIGH] CVE-2017-1000112: Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter
OSV
linux-hwe vulnerabilities
osv·2017-08-11·CVSS 7.8
CVE-2017-1000112 [HIGH] linux-hwe vulnerabilities
linux-hwe vulnerabilities
USN-3384-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu
16.04 LTS.
Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use this to
cause a denial of service or execute arbitrary code. (CVE-2017-1000112)
Andrey Konovalov discovered a race condition in AF_PACKET socket option
handling code in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service or possibly execute arbitrary code.
(CVE-2017-1000111)
OSV
linux-lts-xenial vulnerabilities
osv·2017-08-11·CVSS 7.8
CVE-2017-1000112 [HIGH] linux-lts-xenial vulnerabilities
linux-lts-xenial vulnerabilities
USN-3385-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use this to
cause a denial of service or execute arbitrary code. (CVE-2017-1000112)
Andrey Konovalov discovered a race condition in AF_PACKET socket option
handling code in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service or possibly execute arbitrary code.
(CVE-2017-1000111)
OSV
linux vulnerabilities
osv·2017-08-11·CVSS 7.8
CVE-2017-1000112 [HIGH] linux vulnerabilities
linux vulnerabilities
Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use this to
cause a denial of service or execute arbitrary code. (CVE-2017-1000112)
Andrey Konovalov discovered a race condition in AF_PACKET socket option
handling code in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service or possibly execute arbitrary code.
(CVE-2017-1000111)
OSV
linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities
osv·2017-08-11·CVSS 7.8
CVE-2017-1000112 [HIGH] linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities
linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities
Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use this to
cause a denial of service or execute arbitrary code. (CVE-2017-1000112)
Andrey Konovalov discovered a race condition in AF_PACKET socket option
handling code in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service or possibly execute arbitrary code.
(CVE-2017-1000111)
No detection rules found.
Exploit-DB
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)
exploitdb·2018-12-29·CVSS 7.0
CVE-2017-1000112 [HIGH] Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)
Linux Kernel
// ---
// Updated by
// - support for distros based on Ubuntu kernel
// - additional kernel targets
// - additional KASLR bypasses
// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2017-1000112
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define DEBUG
#ifdef DEBUG
# define dprintf printf
#else
# define dprintf
#endif
#define ENABLE_KASLR_BYPASS 1
#define ENABLE_SMEP_BYPASS 1
char* SHELL = "/bin/bash";
// Will be overwritten if ENABLE_KASLR_BYPASS is enabled.
unsigned long KERNEL_BASE = 0xffffffff81000000ul;
// Will be overwritten by detect_kernel().
int kernel = -1;
struct kernel_info {
const char* distro;
const char* version;
uint64_t commit_creds;
uint64
Exploit-DB
Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)
exploitdb·2018-08-03
CVE-2017-1000112 Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)
Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Linux systems by abusing
UDP Fragmentation Offload (UFO).
This exploit targets only systems using Ubuntu (Trusty / Xenial) kernels
4.4.0-21 MSF_LICENSE,
'Author' =>
[
'Andrey Konovalov', # Discovery and C exploit
'h00die', # Metasploit module
'Brendan Coles' # Metasploit module
],
'DisclosureDate' => 'Aug 10 2017',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
Exploit-DB
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)
exploitdb·2017-08-13·CVSS 7.0
CVE-2017-1000112 [HIGH] Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)
Linux Kernel
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define ENABLE_KASLR_BYPASS 1
#define ENABLE_SMEP_BYPASS 1
// Will be overwritten if ENABLE_KASLR_BYPASS is enabled.
unsigned long KERNEL_BASE = 0xffffffff81000000ul;
// Will be overwritten by detect_versions().
int kernel = -1;
struct kernel_info {
const char* distro;
const char* version;
uint64_t commit_creds;
uint64_t prepare_kernel_cred;
uint64_t xchg_eax_esp_ret;
uint64_t pop_rdi_ret;
uint64_t mov_dword_ptr_rdi_eax_ret;
uint64_t mov_rax_cr4_ret;
uint64_t neg_rax_ret;
uint64_t pop_rcx_ret;
uint64_t or_rax_rcx_ret;
uint64_t xchg_eax_edi_ret;
uint64_t mov_cr4_rdi_ret;
uint64_t jmp_rcx;
};
struct kernel_inf
Metasploit
Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
metasploit
Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
This module attempts to gain root privileges on Linux systems by abusing UDP Fragmentation Offload (UFO). This exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 4.4.0-21 <= 4.4.0-89 and 4.8.0-34 <= 4.8.0-58, including Linux distros based on Ubuntu, such as Linux Mint. The target system must have unprivileged user namespaces enabled and SMAP disabled. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on various Ubuntu and Linux Mint systems, including: Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop; Ubuntu 16.04 4.8.0-53-generic; Linux Mint 17.3 4.4.0-89-generic; Linux Mint 18 4.8.0-58-generic
HackerOne
Linux kernel: CVE-2017-1000112: a memory corruption due to UFO to non-UFO path switch
hackerone·2019-09-11·CVSS 7.0
CVE-2017-1000112 [HIGH] Linux kernel: CVE-2017-1000112: a memory corruption due to UFO to non-UFO path switch
Linux kernel: CVE-2017-1000112: a memory corruption due to UFO to non-UFO path switch
Hi!
[CVE-2017-1000112](https://nvd.nist.gov/vuln/detail/CVE-2017-1000112) is a vulnerability I found in the Linux kernel caused by a UFO to non-UFO path switch for UFO packets. It can be exploited to gain kernel code execution from an unprivileged process.
This vulnerability was reported to [email protected] and linux-distros@ following the coordinated disclosure process and then [announced](https://www.openwall.com/lists/oss-security/2017/08/13/1) on oss-security@. The fix was [committed](https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa) on Aug 10, 2017.
I wrote a proof-of-concept exploit for a range of Ubuntu kernels Ubuntu kernel wh
Bugzilla
CVE-2017-1000112 kernel: Exploitable memory corruption due to UFO to non-UFO path switch [fedora-all]
bugzilla·2017-08-11·CVSS 7.0
CVE-2017-1000112 [HIGH] CVE-2017-1000112 kernel: Exploitable memory corruption due to UFO to non-UFO path switch [fedora-all]
CVE-2017-1000112 kernel: Exploitable memory corruption due to UFO to non-UFO path switch [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects mul
Bugzilla
CVE-2017-1000112 kernel: Exploitable memory corruption due to UFO to non-UFO path switch
bugzilla·2017-08-08·CVSS 7.0
CVE-2017-1000112 [HIGH] CVE-2017-1000112 kernel: Exploitable memory corruption due to UFO to non-UFO path switch
CVE-2017-1000112 kernel: Exploitable memory corruption due to UFO to non-UFO path switch
A memory corruption issue was found in the Linux kernel.
When building a UFO packet with MSG_MORE __ip_append_data() calls
ip_ufo_append_data() to append. However in between two send() calls,
the append path can be switched from UFO to non-UFO one, which leads
to a memory corruption.
In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len
becomes negative on the non-UFO path and the branch to allocate new
skb is taken. This triggers fragmentation and computation of fraggap =
skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy =
datalen - transhdrlen - fraggap to become negative. Subsequently
skb_copy_and_csum_bits() writes out-of-bounds.
Introducing commit:
https://git.ke
arXiv
Hybrid Privilege Escalation and Remote Code Execution Exploit Chains
arxiv_fulltext·2025-09-22
Hybrid Privilege Escalation and Remote Code Execution Exploit Chains
Exploit Classification
Modeling
AI Planning
ALFA-Chains
RCE
Core Certified Exploit Library
DMZ+LAN
20+6subs
200+6subs
Purdue_1
Purdue_2
Purdue_3
Synthetic
H0
H1
H2
Hybrid Privilege Escalation and Remote Code Execution Exploit Chains
Miguel Tulla
MIT
Cambridge, MA
Email: [email protected]
Andrea Vignali
University of Naples Federico II
Naples, Italy
Email: [email protected]
Cristian Colon
MIT
Cambridge, MA
Email: [email protected]
Anahita Srinivasan
MIT
Cambridge, MA
Email: [email protected]
Giancarlo Sperlì
University of Naples Federico II
Naples, Italy
Email: [email protected]
Simon Pietro Romano
University of Naples Federico II
Naples, Italy
Email: [email protected]
Masataro Asai
MIT-IBM Watson AI Lab
Cambridge, MA
Email: [email protected]
Erik Hemberg
arXiv
Lic-Sec: an enhanced AppArmor Docker security profile generator
arxiv_fulltext·2020-09-24
Lic-Sec: an enhanced AppArmor Docker security profile generator
frontmatter
5pt
- 0ex
0cm
0em
Lic-Sec: an enhanced AppArmor Docker security profile generator
[1]Hui Zhu
[email protected]
[1]Christian Gehrmann
[email protected]
[1]Department of Electrical and Information Technology, Lund University, Lund, Sweden
## Abstract
Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container sec
http://seclists.org/oss-sec/2017/q3/277http://www.debian.org/security/2017/dsa-3981http://www.securityfocus.com/bid/100262http://www.securitytracker.com/id/1039162https://access.redhat.com/errata/RHSA-2017:2918https://access.redhat.com/errata/RHSA-2017:2930https://access.redhat.com/errata/RHSA-2017:2931https://access.redhat.com/errata/RHSA-2017:3200https://access.redhat.com/errata/RHSA-2019:1931https://access.redhat.com/errata/RHSA-2019:1932https://access.redhat.com/errata/RHSA-2019:4159https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112https://www.exploit-db.com/exploits/45147/http://seclists.org/oss-sec/2017/q3/277http://www.debian.org/security/2017/dsa-3981http://www.securityfocus.com/bid/100262http://www.securitytracker.com/id/1039162https://access.redhat.com/errata/RHSA-2017:2918https://access.redhat.com/errata/RHSA-2017:2930https://access.redhat.com/errata/RHSA-2017:2931https://access.redhat.com/errata/RHSA-2017:3200https://access.redhat.com/errata/RHSA-2019:1931https://access.redhat.com/errata/RHSA-2019:1932https://access.redhat.com/errata/RHSA-2019:4159https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112https://www.exploit-db.com/exploits/45147/
2017-10-05
Published