Published: 23/05/2016 Updated: 17/01/2023

CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 731

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel prior to 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.

Vulnerable Product	Search on Vulmon	Subscribe to Product
linux linux kernel

Debian Bug report logs - #823603 linux: CVE-2016-4557: [Local root exploit] Use after free via double-fdput in bpf Package: src:linux; Maintainer for src:linux is Debian Kernel Team <debian-kernel@listsdebianorg>; Reported by: <mike_b@tutanotacom> Date: Fri, 6 May 2016 12:18:01 UTC Severity: critical Tags: securi ...

The Linux kernel did not properly suppress hugetlbfs support in x86 PV guests, which could allow local PV guest users to cause a denial of service (guest OS crash) by attempting to access a hugetlbfs mapped area (CVE-2016-3961 / XSA-174) A flaw was found in the way the Linux kernel's ASN1 DER decoder processed certain certificate files with tags ...

Several security issues were fixed in the kernel ...

The replace_map_fd_with_map_ptr function in kernel/bpf/verifierc in the Linux kernel before 455 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor ...

Linux kernel versions 44 and above where CONFIG_BPF_SYSCALL and kernelunprivileged_bpf_disabled sysctl is not set to 1 allow for BPF to be abused for privilege escalation Ubuntu 1604 has all of these conditions met ...

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Exploit::EXE include Msf::Post::File include Msf::Exploit::FileDropper def initialize(info={}) s ...

Source: bugschromiumorg/p/project-zero/issues/detail?id=808 In Linux >=44, when the CONFIG_BPF_SYSCALL config option is set and the kernelunprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime, unprivileged code can use the bpf() syscall to load eBPF socket filter programs These conditions are fulfilled in Ubuntu 16 ...

Installation Install dependencies pip install -r requirementstxt Environment setup chmod +x runsh /runsh Note Need to configure the correct path Note Because the dataflowanalyzer is not provided, need to debug the kernel to get the required value in Linux_kernel_exploits/fuze/test/cve-2016-45

Steps to follow when participating to CTF

CTF -- CTF AWESOME Steps to follow when participating to CTF Collaborative markdown notes See all opened ports, here # All ports nmap -p- 19216811 # This may detect more things, takes longer: Detects if ftp is vulnerable nmap -A 19216811 nmap -sV -A 19216811 nmap -A -O -T4 --script=vuln 192168166 Connect to a specific port

GoBPFLD is a pure go eBPF loader/userspace library

GoBPFLD GoBPFLD is a pure go eBPF loader/userspace library as an alternative to using gobpf which requires CGO to work The goal of GoBPFLD is to provide a library for eBPF development which is comparable to libbpf(C library) but without CGO which improves the development experience WARNING GoBPFLD is currently not (yet) feature complete, and may lack critical features for s

PHP Kernel Exploits PHP Kernel Exploits;Based on the number of operating system releases This is script to detect the kernel version and possible to local root exploit Sample Usage $ php -f kernel-exploitsphp 440 $ php -f kernel-exploitsphp PHP Kernel Exploits ========================== Kernel local: 440 Possible Exploits: [+] Linux Kernel 44x (Ubuntu 1604) - doub

NVD-CWE-Other http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 https://bugzilla.redhat.com/show_bug.cgi?id=1334307 https://github.com/torvalds/linux/commit/8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 https://bugs.chromium.org/p/project-zero/issues/detail?id=808 https://bugs.debian.org/823603 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5 http://www.openwall.com/lists/oss-security/2016/05/06/4 http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html https://www.exploit-db.com/exploits/40759/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823603 https://nvd.nist.gov https://usn.ubuntu.com/2965-1/https://www.exploit-db.com/exploits/40759/https://alas.aws.amazon.com/ALAS-2016-703.html

CVE-2016-4557

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect