cbcvebase.
CVE-2017-1000112
published 2017-10-05

CVE-2017-1000112: Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls…

PriorityP352high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
EXPLOIT
EPSS
20.80%
97.2th percentile
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.

Affected

13 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 4.12.6-1 (bookworm)linux 4.12.6-1 (bookworm)
linuxlinux_kernel>= 0 < 4.12.6-14.12.6-1
linuxlinux_kernel>= 0 < 4.12.6-14.12.6-1
linuxlinux_kernel>= 0 < 4.12.6-14.12.6-1
linuxlinux_kernel>= 0 < 4.12.6-14.12.6-1
linuxlinux_kernel>= 0 < 3.13.0-128.1773.13.0-128.177
linuxlinux_kernel>= 0 < 4.4.0-91.1144.4.0-91.114
linuxlinux_kernel>= 2.6.15 < 3.10.1083.10.108
linuxlinux_kernel>= 3.11 < 3.16.473.16.47
linuxlinux_kernel>= 3.17 < 3.18.653.18.65
linuxlinux_kernel>= 3.19 < 4.4.824.4.82
linuxlinux_kernel>= 4.10 < 4.12.74.12.7
linuxlinux_kernel>= 4.5 < 4.9.434.9.43

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
urlhttps://github.com/bcoles/kernel-exploits/tree/master/CVE-2017-1000112
urlhttps://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa
otherKERNEL_BASE = 0xffffffff81000000
  • Exploit requires unprivileged user namespaces to be enabled; detect exploitation attempts by monitoring for unprivileged unshare(CLONE_NEWUSER) calls combined with raw UDP socket creation using MSG_MORE flag.
  • Target systems are Ubuntu (Trusty/Xenial) kernels 4.4.0-21 through 4.4.0-89 and 4.8.0-34 through 4.8.0-58; alert on privilege escalation attempts on these specific kernel versions.
  • Metasploit module drops exploit binary and payload into a writable directory (default /tmp) with random alphanumeric filenames prefixed with '.'; monitor for execution of hidden files from /tmp.
  • Exploit uses ROP chain to disable SMEP by manipulating CR4 register; monitor for kernel ROP gadget patterns involving xchg eax,esp and mov cr4,rdi sequences in kernel crash dumps or live kernel integrity checks.
  • Exploit calls commit_creds(prepare_kernel_cred(0)) to obtain root; monitor for unexpected credential changes (uid/gid transitions to 0) from non-root processes.
  • Metasploit module compiles exploit on target using gcc; detect by monitoring for gcc invocations on files in /tmp or other writable directories shortly before privilege escalation.
  • Check kernel version against vulnerable range using regex; kernel versions matching ^4\.4\.0-(21|22|24|28|31|34|36|38|42|45|47|51|53|57|59|62|63|64|66|67|70|71|72|75|78|79|81|83|87|89)-generic or ^4\.8\.0-(34|36|39|41|45|46|49|51|52|53|54|56|58)-generic are vulnerable.
  • ·Exploitation requires SMAP to be disabled on the target; systems with SMAP enabled are not vulnerable to this exploit variant.
  • ·Exploitation requires unprivileged user namespaces to be enabled; disabling them mitigates this vulnerability.
  • ·Failed exploitation may crash the kernel, making this a high-impact, noisy attack vector.
  • ·The exploit only supports x86_64 architecture; non-x86_64 systems are not affected by this exploit.
  • ·KASLR bypass is included in the exploit; KASLR alone does not prevent exploitation of this vulnerability.

CVSS provenance

nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_ubuntu7.8HIGH
vendor_debian7.0LOW
vendor_redhat7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.