CVE-2015-3636

kernel: ping sockets: use-after-free leading to local privilege escalation

Severity Score

4.9

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain list data structure during an unhash operation, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a disconnect.

Vulnerabilidad en la función ping_unhash en net/ipv4/ping.c en el kernel de Linux en versiones anteriores a 4.0.3, no inicializa una cierta estructura de datos de lista durante una operación unhash, lo que permite a usuarios locales obtener privilegios o causar una denegación de servicio (uso después de liberación de memoria y caída del sistema) mediante el aprovechamiento de la capacidad de hacer una llamada a un socket de sistema SOCK_DGRAM para el protocolo IPROTO_ICMP o IPROTO_ICMPV6 y entonces hacer una llamada al sistema de conexión tras una desconexión.

It was found that the Linux kernel's ping socket implementation did not properly handle socket unhashing during spurious disconnects, which could lead to a use-after-free flaw. On x86-64 architecture systems, a local user able to create ping sockets could use this flaw to crash the system. On non-x86-64 architecture systems, a local user able to create ping sockets could use this flaw to escalate their privileges on the system.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

Attack Vector

Local

Attack Complexity

High

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-05-02 CVE Reserved
2015-06-10 CVE Published
2015-08-31 First Exploit
2023-03-08 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-416: Use After Free

CAPEC

References (36)

URL	Tag	Source
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a134f083e79fb4c3d0a925691e732c56911b4326	X_refsource_confirm
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.0.3	X_refsource_confirm
http://www.openwall.com/lists/oss-security/2015/05/02/5	Mailing List
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html	X_refsource_confirm
http://www.securityfocus.com/bid/74450	Vdb Entry
http://www.securitytracker.com/id/1033186	Vdb Entry
https://github.com/torvalds/linux/commit/a134f083e79fb4c3d0a925691e732c56911b4326	X_refsource_confirm

URL	Date	SRC
https://github.com/fi01/CVE-2015-3636	2015-09-28
https://github.com/a7vinx/CVE-2015-3636	2017-01-03
https://github.com/betalphafai/cve-2015-3636_crash	2017-05-17
https://github.com/askk/libping_unhash_exploit_POC	2024-08-12
https://github.com/ludongxu/cve-2015-3636	2015-08-31
https://github.com/android-rooting-tools/libpingpong_exploit	2023-06-30
https://github.com/debugfan/rattle_root	2020-12-17

URL	Date	SRC

URL	Date	SRC
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157788.html	2019-04-22
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157897.html	2019-04-22
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158804.html	2019-04-22
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00023.html	2019-04-22
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00011.html	2019-04-22
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00004.html	2019-04-22
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00007.html	2019-04-22
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00008.html	2019-04-22
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00009.html	2019-04-22
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00011.html	2019-04-22
http://rhn.redhat.com/errata/RHSA-2015-1221.html	2019-04-22
http://rhn.redhat.com/errata/RHSA-2015-1534.html	2019-04-22
http://rhn.redhat.com/errata/RHSA-2015-1564.html	2019-04-22
http://rhn.redhat.com/errata/RHSA-2015-1583.html	2019-04-22
http://rhn.redhat.com/errata/RHSA-2015-1643.html	2019-04-22
http://www.debian.org/security/2015/dsa-3290	2019-04-22
http://www.ubuntu.com/usn/USN-2631-1	2019-04-22
http://www.ubuntu.com/usn/USN-2632-1	2019-04-22
http://www.ubuntu.com/usn/USN-2633-1	2019-04-22
http://www.ubuntu.com/usn/USN-2634-1	2019-04-22
https://bugzilla.redhat.com/show_bug.cgi?id=1218074	2015-08-18
https://access.redhat.com/security/cve/CVE-2015-3636	2015-08-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				<= 4.0.2 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.0.2"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"		lts		Affected