CVE-2017-1000253
Linux Kernel PIE Stack Buffer Corruption Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
YesDecision
Descriptions
Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the "gap" between the stack and the binary.
Existe una vulnerabilidad en las distribuciones de Linux que no han parcheado sus kernels de largo mantenimiento con https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (confirmada el 14 de abril de 2015). Esta vulnerabilidad en los kernels se parcheó en abril de 2015 por el commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (aplicado a Linux 3.10.77 en mayo de 2015), pero no se reconoció como amenaza de seguridad. Con CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE habilitado y una estrategia vertical normal de asignación de direcciones, load_elf_binary() intentará mapear un binario PIE en un rango de direcciones inmediatamente inferior a mm->mmap_base. Por desgracia, load_elf_ binary() no tiene en cuenta la necesidad de asignar el suficiente espacio para todo el binario, lo que significa que, estando el primer segmento PT_LOAD está mapeado bajo mm->mmap_base, los siguientes segmentos PT_LOAD acaban mapeados sobre mm->mmap_base en el área que debería ser el "hueco" entre la pila y el binario.
A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.
Linux kernel contains a position-independent executable (PIE) stack buffer corruption vulnerability in load_elf_ binary() that allows a local attacker to escalate privileges.
CVSS Scores
SSVC
- Decision:Act
Timeline
- 2017-09-26 CVE Published
- 2017-09-26 First Exploit
- 2017-10-03 CVE Reserved
- 2024-09-09 Exploited in Wild
- 2024-09-10 CVE Updated
- 2024-09-10 EPSS Updated
- 2024-09-30 KEV Due Date
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (18)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/101010 | Third Party Advisory | |
| http://www.securitytracker.com/id/1039434 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/42887 | 2017-09-26 | |
| https://github.com/RicterZ/PIE-Stack-Clash-CVE-2017-1000253 | 2017-11-01 | |
| https://github.com/sxlmnwb/CVE-2017-1000253 | 2022-10-16 |
| URL | Date | SRC |
|---|---|---|
| https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt | 2023-01-17 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2017:2793 | 2023-01-17 | |
| https://access.redhat.com/errata/RHSA-2017:2794 | 2023-01-17 | |
| https://access.redhat.com/errata/RHSA-2017:2795 | 2023-01-17 | |
| https://access.redhat.com/errata/RHSA-2017:2796 | 2023-01-17 | |
| https://access.redhat.com/errata/RHSA-2017:2797 | 2023-01-17 | |
| https://access.redhat.com/errata/RHSA-2017:2798 | 2023-01-17 | |
| https://access.redhat.com/errata/RHSA-2017:2799 | 2023-01-17 | |
| https://access.redhat.com/errata/RHSA-2017:2800 | 2023-01-17 | |
| https://access.redhat.com/errata/RHSA-2017:2801 | 2023-01-17 | |
| https://access.redhat.com/errata/RHSA-2017:2802 | 2023-01-17 | |
| https://access.redhat.com/security/cve/CVE-2017-1000253 | 2017-09-26 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1492212 | 2017-09-26 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | 6.0 Search vendor "Centos" for product "Centos" and version "6.0" | - |
Affected
| ||||||
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | 6.1 Search vendor "Centos" for product "Centos" and version "6.1" | - |
Affected
| ||||||
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | 6.2 Search vendor "Centos" for product "Centos" and version "6.2" | - |
Affected
| ||||||
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | 6.3 Search vendor "Centos" for product "Centos" and version "6.3" | - |
Affected
| ||||||
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | 6.4 Search vendor "Centos" for product "Centos" and version "6.4" | - |
Affected
| ||||||
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | 6.5 Search vendor "Centos" for product "Centos" and version "6.5" | - |
Affected
| ||||||
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | 6.6 Search vendor "Centos" for product "Centos" and version "6.6" | - |
Affected
| ||||||
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | 6.7 Search vendor "Centos" for product "Centos" and version "6.7" | - |
Affected
| ||||||
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | 6.8 Search vendor "Centos" for product "Centos" and version "6.8" | - |
Affected
| ||||||
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | 6.9 Search vendor "Centos" for product "Centos" and version "6.9" | - |
Affected
| ||||||
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | 7.1406 Search vendor "Centos" for product "Centos" and version "7.1406" | - |
Affected
| ||||||
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | 7.1503 Search vendor "Centos" for product "Centos" and version "7.1503" | - |
Affected
| ||||||
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | 7.1511 Search vendor "Centos" for product "Centos" and version "7.1511" | - |
Affected
| ||||||
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | 7.1611 Search vendor "Centos" for product "Centos" and version "7.1611" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.1 Search vendor "Redhat" for product "Enterprise Linux" and version "6.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.2 Search vendor "Redhat" for product "Enterprise Linux" and version "6.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.3 Search vendor "Redhat" for product "Enterprise Linux" and version "6.3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.4 Search vendor "Redhat" for product "Enterprise Linux" and version "6.4" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.5 Search vendor "Redhat" for product "Enterprise Linux" and version "6.5" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.6 Search vendor "Redhat" for product "Enterprise Linux" and version "6.6" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.7 Search vendor "Redhat" for product "Enterprise Linux" and version "6.7" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.8 Search vendor "Redhat" for product "Enterprise Linux" and version "6.8" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.9 Search vendor "Redhat" for product "Enterprise Linux" and version "6.9" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.1 Search vendor "Redhat" for product "Enterprise Linux" and version "7.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.2 Search vendor "Redhat" for product "Enterprise Linux" and version "7.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.3 Search vendor "Redhat" for product "Enterprise Linux" and version "7.3" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.25 < 3.2.70 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.25 < 3.2.70" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.3 < 3.4.109 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.4.109" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.5 < 3.10.77 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.5 < 3.10.77" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.11 < 3.12.43 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.43" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 3.14.41 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.14.41" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.15 < 3.16.35 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.15 < 3.16.35" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.17 < 3.18.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.14" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.19 < 3.19.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 3.19.7" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.0 < 4.0.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.0 < 4.0.2" | - |
Affected
| ||||||