CVE-2017-1000371 – Linux Kernel - 'offset2lib' Stack Clash
https://notcve.org/view.php?id=CVE-2017-1000371
The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems. El parche offset2lib tal como es usado por el Kernel de Linux contiene una vulnerabilidad, si RLIMIT_STACK se establece en RLIM_INFINITY y se asigna 1 gigabyte de memoria (el máximo bajo la restricción de 1/4) entonces la pila se reducirá hasta 0x80000000, y como el binario PIE es asignado por encima de 0x80000000 la distancia mínima entre el final del segmento de lectura y escritura del binario PIE y el inicio de la pila se convierte en lo suficientemente pequeño como para que la página de protección de pila puede ser saltada por un atacante. • https://www.exploit-db.com/exploits/42273 https://www.exploit-db.com/exploits/42276 http://www.debian.org/security/2017/dsa-3981 http://www.securityfocus.com/bid/99131 https://access.redhat.com/security/cve/CVE-2017-1000371 https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt https://bugzilla.redhat.com/show_bug.cgi?id=1462158 • CWE-20: Improper Input Validation •
CVE-2017-1000364 – Solaris - RSH Stack Clash Privilege Escalation
https://notcve.org/view.php?id=CVE-2017-1000364
An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010). Se ha descubierto un problema en el tamaño de la página de stack guard en Linux; específicamente, una página 4k stack guard no es lo suficientemente grande y puede "saltarse" (se omite la página de stack guard). Esto afecta al kernel de Linux en versiones 4.11.5 y anteriores (la página stackguard fue introducida en 2010). A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. • https://www.exploit-db.com/exploits/45625 http://www.debian.org/security/2017/dsa-3886 http://www.securityfocus.com/bid/99130 http://www.securitytracker.com/id/1038724 https://access.redhat.com/errata/RHSA-2017:1482 https://access.redhat.com/errata/RHSA-2017:1483 https://access.redhat.com/errata/RHSA-2017:1484 https://access.redhat.com/errata/RHSA-2017:1485 https://access.redhat.com/errata/RHSA-2017:1486 https://access.redhat.com/errata/RHSA-2017:1487 https://a • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2017-1000379 – Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2017-1000379
The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is affected. El Kernel de Linux ejecutándose en sistemas AMD64 a veces asignará el contenido de un ejecutable PIE, la región heap o el archivo ld.so donde la pila es asignada, permitiendo a los atacantes manipular más fácilmente la pila. Kernel de Linux versión 4.11.5, esta afectado. • https://www.exploit-db.com/exploits/42275 http://www.securityfocus.com/bid/99284 https://access.redhat.com/errata/RHSA-2017:1482 https://access.redhat.com/errata/RHSA-2017:1484 https://access.redhat.com/errata/RHSA-2017:1485 https://access.redhat.com/errata/RHSA-2017:1486 https://access.redhat.com/errata/RHSA-2017:1487 https://access.redhat.com/errata/RHSA-2017:1488 https://access.redhat.com/errata/RHSA-2017:1489 https://access.redhat.com/errata/RHSA-2017:1490 https •
CVE-2017-1000370 – Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2017-1000370
The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This issue appears to be limited to i386 based systems. El parche offset2lib tal como es usado por el Kernel de Linux contiene una vulnerabilidad que permite que un binario PIE sea execve()'ed con 1 GB de argumentos o cadenas de entorno, entonces la pila ocupa la dirección 0x80000000 y el binario PIE se asigna por encima de 0x40000000 haciendo null la protección del parche offset2lib. • https://www.exploit-db.com/exploits/42274 https://www.exploit-db.com/exploits/42273 http://www.debian.org/security/2017/dsa-3981 http://www.securityfocus.com/bid/99149 https://access.redhat.com/security/cve/CVE-2017-1000370 https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt •
CVE-2017-1000380 – kernel: information leak due to a data race in ALSA timer
https://notcve.org/view.php?id=CVE-2017-1000380
sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time. El archivo sound/core/timer.c en el kernel de Linux anterior a versión 4.11.5, es vulnerable a una carrera de datos en el controlador de /dev/snd/timer de ALSA, resultando en que los usuarios locales sean capaces de leer la información que pertenece a otros usuarios, es decir, los contenidos de la memoria sin inicializar pueden ser divulgados cuando una lectura y un ioctl se presentan al mismo tiempo. It was found that the timer functionality in the Linux kernel ALSA subsystem is prone to a race condition between read and ioctl system call handlers, resulting in an uninitialized memory disclosure to user space. A local user could use this flaw to read information belonging to other users. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ba3021b2c79b2fa9114f92790a99deb27a65b728 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d11662f4f798b50d8c8743f433842c3e40fe3378 http://www.debian.org/security/2017/dsa-3981 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.5 http://www.openwall.com/lists/oss-security/2017/06/12/2 http://www.securityfocus.com/bid/99121 https://access.redhat.com/errata/RHSA-2017:3295 https: • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •