CVE-2017-1000112

Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation

Severity Score

7.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.

Linux kernel: Existe una corrupción de memoria explotable debida al cambio de ruta de UFO a no UFO. Al crear un paquete UFO con MSG_MORE, __ip_append_data() llama a ip_ufo_append_data() para que se anexe. Sin embargo, entre dos llamadas send(), la ruta anexa puede cambiarse de UFO a no UFO, lo que lleva a una corrupción de memoria. Si la longitud del paquete UFO sobrepasa el MTU, copy = maxfraglen - skb->len se convierte en negativo en la ruta no UFO y se toma una rama para asignar un nuevo skb. Esto desencadena la fragmentación y el cálculo de fraggap = skb_prev->len - maxfraglen. fraggap puede exceder el MTU, lo que provoca que copy = datalen - transhdrlen - fraggap se vuelva negativo. En consecuencia, skb_copy_and_csum_bits() escribe fuera de límites. Existe un problema similar en el código IPv6. Este error fue introducido en e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") el 18 de octubre de 2005.

An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges.

*Credits: N/A

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-08-10 CVE Published
2017-08-13 First Exploit
2017-10-03 CVE Reserved
2023-07-08 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-122: Heap-based Buffer Overflow
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (18)

URL	Tag	Source
http://www.securityfocus.com/bid/100262	Third Party Advisory
http://www.securitytracker.com/id/1039162	Third Party Advisory
https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112	Third Party Advisory

URL	Date	SRC
https://www.exploit-db.com/exploits/45147	2024-08-05
https://www.exploit-db.com/exploits/47169	2018-12-29
https://www.exploit-db.com/exploits/43418	2017-08-13
https://github.com/ol0273st-s/CVE-2017-1000112-Adpated	2020-02-14

URL	Date	SRC
http://seclists.org/oss-sec/2017/q3/277	2023-06-07

URL	Date	SRC
http://www.debian.org/security/2017/dsa-3981	2023-06-07
https://access.redhat.com/errata/RHSA-2017:2918	2023-06-07
https://access.redhat.com/errata/RHSA-2017:2930	2023-06-07
https://access.redhat.com/errata/RHSA-2017:2931	2023-06-07
https://access.redhat.com/errata/RHSA-2017:3200	2023-06-07
https://access.redhat.com/errata/RHSA-2019:1931	2023-06-07
https://access.redhat.com/errata/RHSA-2019:1932	2023-06-07
https://access.redhat.com/errata/RHSA-2019:4159	2023-06-07
https://access.redhat.com/security/cve/CVE-2017-1000112	2019-12-10
https://bugzilla.redhat.com/show_bug.cgi?id=1479307	2019-12-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.15 < 3.10.108 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.15 < 3.10.108"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.11 < 3.16.47 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.16.47"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.17 < 3.18.65 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.65"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 4.4.82 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.4.82"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.5 < 4.9.43 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.5 < 4.9.43"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.10 < 4.12.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 4.12.7"		-		Affected