Old Linux Kernel Code Execution Bug Patched

A local, race condition vulnerability in the af_packet implementation in Linux was patched this week. The bug allows a local attacker to execute code or crash a server.

A critical, local code-execution vulnerability in the Linux kernel was patched more than a week ago, continuing a run of serious security issues in the operating system, most of which have been hiding in the code for years.

Details on the vulnerability were published Tuesday by researcher Philip Pettersson, who said the vulnerable code was introduced in August 2011. A patch was pushed to the mainline Linux kernel Dec. 2, four days after it was privately disclosed. Pettersson has developed a proof-of-concept exploit specifically for Ubuntu distributions, but told Threatpost his attack could be ported to other distros with some changes.

The vulnerability is a race condition that was discovered in the af_packet implementation in the Linux kernel, and Pettersson said that a local attacker could exploit the bug to gain kernel code execution from unprivileged processes. He said the bug cannot be exploited remotely.

Pettersson’s attack opens a rootshell on Ubuntu 16.04; the exploit bypasses Supervisor Mode Execution Prevention (SMEP) and Supervisor Mode Access Prevention (SMAP) protections at the kernel level. Both are features of Intel chips and hamper code execution in the kernel from user mode. Pettersson said the bypass happens because his attack does not use any userland memory in the exploitation process.

Pettersson provided a technical description of CVE-2016-8655 in an advisory published this week on the oss-sec mailing list:

“To create AF_PACKET sockets you need CAP_NET_RAW in your network namespace, which can be acquired by unprivileged processes on systems where unprivileged namespaces are enabled (Ubuntu, Fedora, etc). It can be triggered from within containers to compromise the host kernel. On Android, processes with gid=3004/AID_NET_RAW are able to create AF_PACKET sockets (mediaserver) and can trigger the bug.”

“Basically it’s a bait-and-switch, the bug allows you to trick the kernel into thinking it is working with one kind of object, while you actually switched it to another kind of object before it could react,” Pettersson told Threatpost.

The vulnerability not only enables local code execution, but can also allow an attacker to crash a server.

“Depends a bit on the scenario, but the most common attack scenarios for local privilege escalations on servers are: 1) A web server gets compromised through a buggy webapp (usually PHP), the attacker gets low-privilege access and escalates his privilege to root using an exploit like this. 2) An attacker steals someone’s login credentials for a server with many users, such as shared hosting server or a big university server,” Pettersson said. “The attacker then escalates to root and gets access to everyone’s accounts and can pivot further into the network.”

Pettersson’s bug is latest critical Linux issue to be addressed in the past few months. In mid-November, a vulnerability in the cryptsetup utility used to set up encrypted filesystems on different Linux distributions was found and patched. The cryptsetup vulnerability paved the way for hackers to retrieve a root rescue shell and gain access to data on the hard drive and either modify it or move it off the machine.

Weeks prior, the Dirty Cow vulnerability surfaced, a nine-year-old vulnerability in the Linux copy-on-write feature that also enabled root privileges for a local attacker. The kernel was patched Oct. 19 and in major distributions shortly thereafter. Google, however, got around to pushing a fix to handset makers in November and pushed a patch this week to its Nexus and Pixel handsets and to the Android Open Source Project.

In early October, a systemd vulnerability was disclosed; it allowed attackers with local access to crash Linux distributions with just 48 characters of code. That flaw, researcher Andrew Ayer said, was introduced two years ago into systemd 209.

Suggested articles