Privilege Escalation – SecuriTeam Blogs

SSD Advisory – Linux AF_LLC Double Free

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability Summary
A use after free vulnerability in AF_LLC allows local attackers to control the flow of code that the kernel executes, allowing them to cause it to run arbitrary code and gain elevated privileges.

Vendor Response
The vulnerability was reported to the Kernel Security, which asked us to contact the netdev team. A patch was provided by the netdev team, on the 27th of March, and was later integrated into the main code of Linux (we are not certain when).

Attempts to recontact the netdev and understand more on the timeline, went unanswered.

We know that the patch has been introduced as part of:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.17-rc2&id=b85ab56c3f81c5a24b5a5213374f549df06430da

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems
The oldest known version to be affected Linux version 2.6.39.4, the patch has been introduced as part of 4.17-rc2.
Continue reading SSD Advisory – Linux AF_LLC Double Free

SSD Advisory – Kingsoft Antivirus/Internet Security 9+ Privilege Escalation

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability Summary
The following advisory describes a kernel stack buffer overflow that leads to privilege escalation found in Kingsoft Antivirus/Internet Security 9+.

Kingsoft Antivirus “provides effective and efficient protection solution at no cost to users. It applies cloud security technology to monitor, scan and protect your systems without any worrying. The comprehensive defender and anti-virus tools prevent and protect your computer from unwanted virus, worms, and Trojans. With the simplest and easiest-to-use functions, users find themselves no difficulty to handle Kingsoft Antivirus.”

Credit
An independent security researcher, Steven Seeley, has reported this vulnerabilities to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
We tried to contact Kingsoft since October 8 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerability.
Continue reading SSD Advisory – Kingsoft Antivirus/Internet Security 9+ Privilege Escalation

SSD Advisory – Huawei P8 wkupccpu debugfs Kernel Buffer Overflow

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability Summary
The following advisory describes a buffer overflow found in Huawei P8 Lite ALE-21 HI621sft, operating system versions EMUI 3.1 – wkupccpu debugfs driver.

Huawei Technologies Co. Ltd. is “a multinational networking and telecommunications equipment and services company, it is the largest telecommunications equipment manufacturer in the world and the second largest smartphone manufacturer in the world”

Credit
A security researcher from, TRUEL IT, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
Huawei confirmed that the vulnerability is not present on their most current version (with EMUI 4.0 or later), the only affected version is 3.1 and prior, it is recommended that all customers of Huawei upgrade to the latest version of their OS.

http://www.huawei.com/en/psirt/security-notices/huawei-sn-20171218-01-smartphone-en

Continue reading SSD Advisory – Huawei P8 wkupccpu debugfs Kernel Buffer Overflow

SSD安全公告-Linux内核XFRM权限提升漏洞

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

漏洞概要
以下安全公告描述了在Linux内核中发现的一个UAF漏洞，成功利用此漏洞的攻击者可以提升权限。漏洞存在于Netlink 套接字子系统 – XFRM.

Netlink用于在内核和用户空间进程之间传输信息。它由用户空间进程的标准基于套接字的接口和内核模块的内部内核API组成。

漏洞提交者

一位独立的安全研究员Mohamed Ghannam向Beyond Security的SSD报告了该漏洞

厂商响应

该漏洞已在补丁1137b5e中被修复（“ipsec：修复中止xfrm策略转储崩溃”）

CVE: CVE-2017-16939

 @@ -1693,32 +1693,34 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr

 static int xfrm_dump_policy_done(struct netlink_callback *cb)
 {
-	struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+	struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
 	struct net *net = sock_net(cb->skb->sk);
 
 	xfrm_policy_walk_done(walk, net);
 	return 0;
 }
 
+static int xfrm_dump_policy_start(struct netlink_callback *cb)
+{
+	struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
+
+	BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args));
+
+	xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
+	return 0;
+}
+
 static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)
 {
 	struct net *net = sock_net(skb->sk);
-	struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+	struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
 	struct xfrm_dump_info info;
 
-	BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) >
-		     sizeof(cb->args) - sizeof(cb->args[0]));
-
 	info.in_skb = cb->skb;
 	info.out_skb = skb;
 	info.nlmsg_seq = cb->nlh->nlmsg_seq;
 	info.nlmsg_flags = NLM_F_MULTI;
 
-	if (!cb->args[0]) {
-		cb->args[0] = 1;
-		xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
-	}
-
 	(void) xfrm_policy_walk(net, walk, dump_one_policy, &info);
 
 	return skb->len;
 @@ -2474,6 +2476,7 @@ static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = {
 
 static const struct xfrm_link {
 	int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **);
+	int (*start)(struct netlink_callback *);
 	int (*dump)(struct sk_buff *, struct netlink_callback *);
 	int (*done)(struct netlink_callback *);
 	const struct nla_policy *nla_pol;
 @@ -2487,6 +2490,7 @@ static const struct xfrm_link {
 	[XFRM_MSG_NEWPOLICY   - XFRM_MSG_BASE] = { .doit = xfrm_add_policy    },
 	[XFRM_MSG_DELPOLICY   - XFRM_MSG_BASE] = { .doit = xfrm_get_policy    },
 	[XFRM_MSG_GETPOLICY   - XFRM_MSG_BASE] = { .doit = xfrm_get_policy,
+						   .start = xfrm_dump_policy_start,
 						   .dump = xfrm_dump_policy,
 						   .done = xfrm_dump_policy_done },
 	[XFRM_MSG_ALLOCSPI    - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi },
 @@ -2539,6 +2543,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
 
 		{
 			struct netlink_dump_control c = {
+				.start = link->start,
 				.dump = link->dump,
 				.done = link->done,
 			};

@@ -1693,32 +1693,34 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr

static int xfrm_dump_policy_done(struct netlink_callback *cb)

{

- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];

+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;

struct net *net = sock_net(cb->skb->sk);

xfrm_policy_walk_done(walk, net);

return 0;

}

+static int xfrm_dump_policy_start(struct netlink_callback *cb)

+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;

+ BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args));

+ xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);

+ return 0;

static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)

{

struct net *net = sock_net(skb->sk);

- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];

+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;

struct xfrm_dump_info info;

- BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) >

- sizeof(cb->args) - sizeof(cb->args[0]));

info.in_skb = cb->skb;

info.out_skb = skb;

info.nlmsg_seq = cb->nlh->nlmsg_seq;

info.nlmsg_flags = NLM_F_MULTI;

- if (!cb->args[0]) {

- cb->args[0] = 1;

- xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);

- }

(void) xfrm_policy_walk(net, walk, dump_one_policy, &info);

return skb->len;

@@ -2474,6 +2476,7 @@ static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = {

static const struct xfrm_link {

int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **);

+ int (*start)(struct netlink_callback *);

int (*dump)(struct sk_buff *, struct netlink_callback *);

int (*done)(struct netlink_callback *);

const struct nla_policy *nla_pol;

@@ -2487,6 +2490,7 @@ static const struct xfrm_link {

[XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy },

[XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy },

[XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy,

+ .start = xfrm_dump_policy_start,

.dump = xfrm_dump_policy,

.done = xfrm_dump_policy_done },

[XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi },

@@ -2539,6 +2543,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,

{

struct netlink_dump_control c = {

+ .start = link->start,

.dump = link->dump,

.done = link->done,

};

Continue reading SSD安全公告-Linux内核XFRM权限提升漏洞

Tag: Privilege Escalation

SSD Advisory – Linux AF_LLC Double Free

SSD Advisory – Kingsoft Antivirus/Internet Security 9+ Privilege Escalation

SSD Advisory – Huawei P8 wkupccpu debugfs Kernel Buffer Overflow

SSD安全公告-Linux内核XFRM权限提升漏洞

If you enjoy this blog , please share it :)