Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.9
CVSSv2

CVE-2017-1000112

Published: 05/10/2017 Updated: 07/06/2023
CVSS v2 Base Score: 6.9 | Impact Score: 10 | Exploitability Score: 3.4
CVSS v3 Base Score: 7 | Impact Score: 5.9 | Exploitability Score: 1
VMScore: 711
Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C
Subscribe to Linux

Vulnerability Summary

Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

linux linux kernel

Vendor Advisories

Debian CVElist Bug Report Logs: linux: CVE-2017-1000251
Debian Bug report logs - #875881 linux: CVE-2017-1000251 Package: src:linux; Maintainer for src:linux is Debian Kernel Team <debian-kernel@listsdebianorg>; Reported by: Christoph Anton Mitterer <calestyo@scientianet> Date: Fri, 15 Sep 2017 14:42:01 UTC Severity: critical Tags: confirmed, fixed-upstream, security, ...
Debian Security Advisories: DSA-3981-1 linux -- security update
Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks CVE-2017-7518 Andy Lutomirski discovered that KVM is prone to an incorrect debug exception (#DB) error occurring while emulating a syscall instruction A process inside a guest can take advanta ...
Red Hat: Important: kernel security and bug fix update
Synopsis Important: kernel security and bug fix update Type/Severity Security Advisory: Important Topic An update for kernel is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) b ...
Red Hat: Important: kernel-rt security and bug fix update
Synopsis Important: kernel-rt security and bug fix update Type/Severity Security Advisory: Important Topic An update for kernel-rt is now available for Red Hat Enterprise MRG 2Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVS ...
Red Hat: Important: kernel security and bug fix update
Synopsis Important: kernel security and bug fix update Type/Severity Security Advisory: Important Topic An update for kernel is now available for Red Hat Enterprise Linux 73 Advanced Update Support, Red Hat Enterprise Linux 73 Telco Extended Update Support, and Red Hat Enterprise Linux 73 Update Services ...
Red Hat: Important: kernel-rt security and bug fix update
Synopsis Important: kernel-rt security and bug fix update Type/Severity Security Advisory: Important Topic An update for kernel-rt is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (C ...
Red Hat: Important: kernel security update
Synopsis Important: kernel security update Type/Severity Security Advisory: Important Topic An update for kernel is now available for Red Hat Enterprise Linux 59 Long LifeRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) b ...
Red Hat: Important: kernel security and bug fix update
Synopsis Important: kernel security and bug fix update Type/Severity Security Advisory: Important Topic An update for kernel is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) b ...
Red Hat: Important: kernel security and bug fix update
Synopsis Important: kernel security and bug fix update Type/Severity Security Advisory: Important Topic An update for kernel is now available for Red Hat Enterprise Linux 5 Extended Lifecycle SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerabil ...
Ubuntu Security Notice: linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities
Several security issues were fixed in the Linux kernel ...
Ubuntu Security Notice: linux-lts-trusty vulnerabilities
Several security issues were fixed in the Linux kernel ...
Ubuntu Security Notice: linux, linux-raspi2 vulnerabilities
Several security issues were fixed in the Linux kernel ...
Ubuntu Security Notice: linux-lts-xenial vulnerabilities
Several security issues were fixed in the Linux kernel ...
Ubuntu Security Notice: linux-hwe vulnerabilities
Several security issues were fixed in the Linux kernel ...
Ubuntu Security Notice: linux vulnerabilities
Several security issues were fixed in the Linux kernel ...
Amazon Linux AMI: ALAS-2017-868
Exploitable memory corruption due to UFO to non-UFO path switch (CVE-2017-1000112) heap out-of-bounds in AF_PACKET sockets (CVE-2017-1000111) The mq_notify function in the Linux kernel does not set the sock pointer to NULL upon entry into the retry logic During a user-space close of a Netlink socket, it allows attackers to possibly cause a situati ...
Red Hat: CVE-2017-1000112
An exploitable memory corruption flaw was found in the Linux kernel The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges ...
Arch Linux Issues:
Exploitable memory corruption due to UFO to non-UFO path switch When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption In case UFO packet lengths exceeds MTU, copy = maxfraglen ...

Exploits

Exploit DB: Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
This Metasploit module attempts to gain root privileges on Linux systems by abusing UDP Fragmentation Offload (UFO) This exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 440-21 <= 440-89 and 480-34 <= 480-58, including Linux distros based on Ubuntu, such as Linux Mint The target system must have unprivileged user ...
Exploit DB: Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)
// A proof-of-concept local root exploit for CVE-2017-1000112 // Includes KASLR and SMEP bypasses No SMAP bypass // Tested on Ubuntu trusty 440-* and Ubuntu xenial 4-8-0-* kernels // // EDB Note: Also included the work from ~ ricklarabeeblogspotcouk/2017/12/adapting-poc-for-cve-2017-1000112-tohtml // Supports: Ubuntu Xen ...
Exploit DB: Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule &lt; Msf::Exploit::Local Rank = GoodRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Kernel include Ms ...
Exploit DB: Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)
// A proof-of-concept local root exploit for CVE-2017-1000112 // Includes KASLR and SMEP bypasses No SMAP bypass // Tested on: // - Ubuntu trusty 440 kernels // - Ubuntu xenial 440 and 480 kernels // - Linux Mint rosa 440 kernels // - Linux Mint sarah 480 kernels // - Zorin OS 121 440-39 kernel // // Usage: // user@ubuntu:~$ uname - ...

Github Repositories

https://github.com/seclab-ucr/KOOBE

Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities

KOOBE Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities Setup /setupsh /buildsh It's been tested on Ubuntu 1804 Usage source koobe/bin/activate cd aeg-analysis python mainpy -h Tutorial CVE-2017-7308 CVE-2018-5703 CVE-2017-7533 CVE-2017-1000112 Utilit

https://github.com/ol0273st-s/CVE-2017-1000112-Adpated

POE code for CVE-2017-1000112 adapted to both funtion on a specific VM and Escape a Docker

CVE-2017-1000112-Adpated POE code for CVE-2017-1000112 adapted to both funtion on a specific VM and Escape a Docker

https://github.com/mtthwstffrd/mzet-linux-exploit-suggester

LES: Linux privilege escalation auditing tool Quick download: wget rawgithubusercontentcom/mzet-/linux-exploit-suggester/master/linux-exploit-suggestersh -O lessh Details about LES usage and inner workings: mzet-githubio/2019/05/10/les-paperhtml Additional resources for the LE

https://github.com/stefanocutelle/linux-exploit-suggester

LES: Linux privilege escalation auditing tool Quick download: wget rawgithubusercontentcom/mzet-/linux-exploit-suggester/master/linux-exploit-suggestersh -O lessh Details about LES usage and inner workings: mzet-githubio/2019/05/10/les-paperhtml Additional resources for the LE

https://github.com/milabs/lkrg-bypass

LKRG bypass methods

lkrg-bypass The repository contains set of methods which I consider to be useful to test LKRG protection against exploitation The history of researching of such methods started a year back with my the very first comment to LKRG community of how I see the LKRG protection can be bypassed: wwwopenwallcom/lists/lkrg-users/2018/11/16/2 There were few more discussions la

https://github.com/rodrigosilvaluz/linux-exploit-suggester

LES: Linux privilege escalation auditing tool Quick download: wget rawgithubusercontentcom/mzet-/linux-exploit-suggester/master/linux-exploit-suggestersh -O lessh Details about LES usage and inner workings: mzet-githubio/2019/05/10/les-paperhtml Additional resources for the LE

https://github.com/84KaliPleXon3/linux-exploit-suggester

LES: Linux privilege escalation auditing tool Quick download: wget rawgithubusercontentcom/mzet-/linux-exploit-suggester/master/linux-exploit-suggestersh -O lessh Details about LES usage and inner workings: mzet-githubio/2019/05/10/les-paperhtml Additional resources for the LE

https://github.com/mzet-/linux-exploit-suggester

Linux privilege escalation auditing tool

LES: Linux privilege escalation auditing tool Quick download: wget rawgithubusercontentcom/mzet-/linux-exploit-suggester/master/linux-exploit-suggestersh -O lessh Details about LES usage and inner workings: mzet-githubio/2019/05/10/les-paperhtml Additional resources for the LE

https://github.com/IT19083124/SNP-Assignment

Exploit work Privilege Escalation CVE-2017-1000112

SNP-Assignment Exploit work Privilege Escalation CVE-2017-1000112 as the privilege escalation is the mile stone of an attakers view,i try to do a little research on loval privilege escalation which is the basic step of whole privilege escalation unit while im reading some articles 2016 and 2017 are the years with most no of privilege escalation reports on local and also remote

https://github.com/retr0-13/linux_exploit_suggester

LES: Linux privilege escalation auditing tool Quick download: wget rawgithubusercontentcom/mzet-/linux-exploit-suggester/master/linux-exploit-suggestersh -O lessh Details about LES usage and inner workings: mzet-githubio/2019/05/10/les-paperhtml Additional resources for the LE

https://github.com/fei9747/linux-exploit-suggester

LES: Linux privilege escalation auditing tool Quick download: wget rawgithubusercontentcom/mzet-/linux-exploit-suggester/master/linux-exploit-suggestersh -O lessh Details about LES usage and inner workings: mzet-githubio/2019/05/10/les-paperhtml Additional resources for the LE

https://github.com/hikame/docker_escape_pwn

Escape from Docker using CVE-2017-1000112 and CVE-2017-18344, including gaining root privilage, get all capbilities, namespace recovery, filesystem recovery, cgroup limitation bypass and seccomp bypass.

Escape from Docker using CVE-2017-1000112 and CVE-2017-18344 Including: gaining root privilage get all capbilities namespace recovery filesystem recovery cgroup limitation bypass seccomp bypass

https://github.com/The-Z-Labs/linux-exploit-suggester

Linux privilege escalation auditing tool

LES: Linux privilege escalation auditing tool Quick download: wget rawgithubusercontentcom/mzet-/linux-exploit-suggester/master/linux-exploit-suggestersh -O lessh Details about LES usage and inner workings: mzet-githubio/2019/05/10/les-paperhtml Additional resources for the LE

https://github.com/0dayhunter/Linux-exploit-suggester

Linux privilege escalation auditing tool

LES: Linux privilege escalation auditing tool: Quick download: git clone githubcom/0dayhunter/Linux-exploit-suggestergit Purpose The LES tool is designed to assist in detecting security deficiencies for a given Linux kernel/Linux-based machine It provides the following functionality: Assessing kernel exposure on publicly known

https://github.com/LucidOfficial/Linux-exploit-suggestor

LES: Linux privilege escalation auditing tool Quick download: wget rawgithubusercontentcom/mzet-/linux-exploit-suggester/master/linux-exploit-suggestersh -O lessh Details about LES usage and inner workings: mzet-githubio/2019/05/10/les-paperhtml Additional resources for the LE

https://github.com/amrelsadane123/Ecploit-kernel-4.10-linux-local

Linux kernel < 4.10.15 - Race Condition Privilege Escalation

Ecploit-kernel-410-linux-local Linux kernel &lt; 41015 - Race Condition Privilege Escalation Linux kernel &lt; 41015 CVE-2017-1000112 This is a proof-of-concept local root exploit for the vulnerability in the UFO Linux kernel implementation CVE-2017-1000112 Some details: wwwopenwallcom/lists/oss-security/2017/08/13/1 s/timerfdc Vulnerbility Exploit Vulne

https://github.com/pradeepavula/Linux-Exploits-LES-

LES: Linux privilege escalation auditing tool Quick download: wget rawgithubusercontentcom/mzet-/linux-exploit-suggester/master/linux-exploit-suggestersh -O lessh Details about LES usage and inner workings: mzet-githubio/2019/05/10/les-paperhtml Additional resources for the LE

https://github.com/Realradioactive/archive-linux-exploit-suggester-master

LES: Linux privilege escalation auditing tool Quick download: wget rawgithubusercontentcom/mzet-/linux-exploit-suggester/master/linux-exploit-suggestersh -O lessh Details about LES usage and inner workings: mzet-githubio/2019/05/10/les-paperhtml Additional resources for the LE

https://github.com/nikaiw/rump

Lightning talk

Lightning talk Short presentation given at sthack and hacktivity about using CVE-2017-1000112 to escape docker &amp; lxc

Recent Articles

Don't be BlindSided: Watch speculative memory probing bypass kernel defenses, give malware root control
The Register • Thomas Claburn in San Francisco • 10 Sep 2020

Silently side-step software safeguards

Video Boffins in America, the Netherlands, and Switzerland have devised a Spectre-style attack on modern processors that can defeat defenses that are supposed to stop malicious software from hijacking a computer's operating system. The end result is exploit code able to bypass a crucial protection mechanism and take over a device to hand over root access. That's a lot to unpack so we'll start from the top. Let's say you find a security vulnerability, such as a buffer overflow, in the kernel of a...

Read more...

References

CWE-362http://www.securitytracker.com/id/1039162http://www.securityfocus.com/bid/100262http://seclists.org/oss-sec/2017/q3/277http://www.debian.org/security/2017/dsa-3981https://access.redhat.com/errata/RHSA-2017:3200https://access.redhat.com/errata/RHSA-2017:2931https://access.redhat.com/errata/RHSA-2017:2930https://access.redhat.com/errata/RHSA-2017:2918https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112https://www.exploit-db.com/exploits/45147/https://access.redhat.com/errata/RHSA-2019:1931https://access.redhat.com/errata/RHSA-2019:1932https://access.redhat.com/errata/RHSA-2019:4159https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875881https://nvd.nist.govhttps://usn.ubuntu.com/3385-1/https://www.exploit-db.com/exploits/43418/https://www.debian.org/security/./dsa-3981https://access.redhat.com/errata/RHSA-2017:3200
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4040privilege escalationCVE-2024-4112CVE-2024-32872man-in-the-middleCVE-2024-32788bypassCVE-2024-3400CVE-2024-28976
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook