7.2
CVSSv2

CVE-2017-16995

Published: 27/12/2017 Updated: 28/07/2018
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 786
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel up to and including 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.

Vulnerability Trend

Vendor Advisories

The system could be made to crash or run programs as an administrator ...
An arbitrary memory r/w access issue was found in the Linux kernel compiled with the eBPF bpf(2) system call (CONFIG_BPF_SYSCALL) support The issue could occur due to calculation errors in the eBPF verifier module, triggered by user supplied malicious BPF program An unprivileged user could use this flaw to escalate their privileges on a system S ...
Several security issues were fixed in the Linux kernel ...
Several security issues were fixed in the Linux kernel ...
Several security issues were fixed in the Linux kernel ...
An arbitrary memory r/w access issue was found in the Linux kernel before 4149, 4972 compiled with the eBPF bpf(2) system call (CONFIG_BPF_SYSCALL) support The issue could occur due to calculation errors in the eBPF verifier module, triggered by user supplied malicious BPF program An unprivileged user could use this flaw to escalate their pri ...
Arch Linux Security Advisory ASA-201801-2 ========================================= Severity: High Date : 2018-01-05 CVE-ID : CVE-2017-16995 CVE-2017-17449 CVE-2017-17558 CVE-2017-17712 CVE-2017-17805 CVE-2017-17806 CVE-2017-17862 CVE-2017-17863 CVE-2017-17864 Package : linux-lts Type : multiple issues Remote : No Link ...
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks CVE-2017-8824 Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free ...
Several security issues were fixed in the Linux kernel ...
Arch Linux Security Advisory ASA-201801-3 ========================================= Severity: High Date : 2018-01-05 CVE-ID : CVE-2017-16995 CVE-2017-16996 CVE-2017-17449 CVE-2017-17558 CVE-2017-17712 CVE-2017-17805 CVE-2017-17806 CVE-2017-17852 CVE-2017-17853 CVE-2017-17854 CVE-2017-17855 CVE-2017-17856 CVE-2017- ...
Arch Linux Security Advisory ASA-201801-1 ========================================= Severity: High Date : 2018-01-05 CVE-ID : CVE-2017-16995 CVE-2017-16996 CVE-2017-17449 CVE-2017-17558 CVE-2017-17712 CVE-2017-17805 CVE-2017-17806 CVE-2017-17852 CVE-2017-17853 CVE-2017-17854 CVE-2017-17855 CVE-2017-17856 CVE-2017- ...
Arch Linux Security Advisory ASA-201801-4 ========================================= Severity: High Date : 2018-01-05 CVE-ID : CVE-2017-16995 CVE-2017-16996 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17712 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806 CVE-2017-17852 CVE-2017-17853 CVE-2017- ...

Exploits

/* Credit @bleidl, this is a slight modification to his original POC githubcom/brl/grlh/blob/master/get-rekt-linux-hardenedc For details on how the exploit works, please visit ricklarabeeblogspotcom/2018/07/ebpf-and-analysis-of-get-rekt-linuxhtml Tested on Ubuntu 1604 with the following Kernels 440-31-gene ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Kernel include Msf::Post::File include M ...
/* * Ubuntu 16044 kernel priv esc * * all credits to @bleidl * - vnik */ // Tested on: // 440-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 // if different kernel adjust CRED offset + check kernel stack size #include <stdioh> #include <stdlibh> #include <unistdh> #include <errnoh> #include &lt ...

Mailing Lists

Linux kernels prior to version 4139 (Ubuntu 1604/Fedora 27) local privilege escalation exploit ...
Linux kernel versions prior to 4148 utilize the Berkeley Packet Filter (BPF) which contains a vulnerability where it may improperly perform signing for an extension This can be utilized to escalate privileges The target system must be compiled with BPF support and must not have kernelunprivileged_bpf_disabled set to 1 This Metasploit module h ...

Metasploit Modules

Linux BPF Sign Extension Local Privilege Escalation

Linux kernel prior to 4.14.8 utilizes the Berkeley Packet Filter (BPF) which contains a vulnerability where it may improperly perform sign extension. This can be utilized to escalate privileges. The target system must be compiled with BPF support and must not have kernel.unprivileged_bpf_disabled set to 1. This module has been tested successfully on: Debian 9.0 kernel 4.9.0-3-amd64; Deepin 15.5 kernel 4.9.0-deepin13-amd64; ElementaryOS 0.4.1 kernel 4.8.0-52-generic; Fedora 25 kernel 4.8.6-300.fc25.x86_64; Fedora 26 kernel 4.11.8-300.fc26.x86_64; Fedora 27 kernel 4.13.9-300.fc27.x86_64; Gentoo 2.2 kernel 4.5.2-aufs-r; Linux Mint 17.3 kernel 4.4.0-89-generic; Linux Mint 18.0 kernel 4.8.0-58-generic; Linux Mint 18.3 kernel 4.13.0-16-generic; Mageia 6 kernel 4.9.35-desktop-1.mga6; Manjero 16.10 kernel 4.4.28-2-MANJARO; Solus 3 kernel 4.12.7-11.current; Ubuntu 14.04.1 kernel 4.4.0-89-generic; Ubuntu 16.04.2 kernel 4.8.0-45-generic; Ubuntu 16.04.3 kernel 4.10.0-28-generic; Ubuntu 17.04 kernel 4.10.0-19-generic; ZorinOS 12.1 kernel 4.8.0-39-generic.

msf > use exploit/linux/local/bpf_sign_extension_priv_esc
msf exploit(bpf_sign_extension_priv_esc) > show targets
    ...targets...
msf exploit(bpf_sign_extension_priv_esc) > set TARGET < target-id >
msf exploit(bpf_sign_extension_priv_esc) > show options
    ...show and set options...
msf exploit(bpf_sign_extension_priv_esc) > exploit

Github Repositories

Ubuntu1604-0day 漏洞范围: all 44 ubuntu aws instances are vulnerable Jann Horn发现在某些情况下,Linux内核中的Berkeley Packet Filter(BPF)不正确地执行了符号扩展check_alu_op()。本地攻击者可以使用它在系统上进行提权,获取root权限。 bpf: fix incorrect sign extension in check_alu_op() Distinguish between BPF_ALU64|BPF_MOV|BPF_

Linux Kernel Version 4.14 - 4.4 (Ubuntu && Debian)

Linux Kernel Version 414 - 44 (Ubuntu &amp;&amp; Debian) 描述 该漏洞存在于Linux内核带有的eBPF bpf(2)系统调用中,当用户提供恶意BPF程序使eBPF验证器模块产生计算错误,导致任意内存读写问题。 非特权用户可以使用此漏洞获得权限提升。漏洞由Google project zero发现。 漏洞编号 CVE-2017-16995 威胁等

all 4.4 ubuntu aws instances are vulnerable

Ubuntu1604-0day 漏洞范围: all 44 ubuntu aws instances are vulnerable Jann Horn发现在某些情况下,Linux内核中的Berkeley Packet Filter(BPF)不正确地执行了符号扩展check_alu_op()。本地攻击者可以使用它在系统上进行提权,获取root权限。 bpf: fix incorrect sign extension in check_alu_op() Distinguish between BPF_ALU64|BPF_MOV|BPF_

security_information_systems PoC of CVE-2017-16995 The check_alu_op function in kernel/bpf/verifierc in the Linux kernel through 4148 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension Contents Vagrantfile scriptsh Instructions Getting all prepared git clone githubc

CVE-2017-16995 ubuntun本地提权 POC

ubuntu 最新版本(Ubuntu 1604)存在高危的本地提权漏洞,漏洞编号为CVE-2017-16995。该漏洞存在于调用eBPF bpf(2)的Linux内核系统中,当用户提供恶意BPF程序使eBPF验证器模块产生计算错误,导致任意内存读写问题,低权限用户可使用此漏洞获得管理权 限。 版本范围:Ubuntu 16041~16044 均存在此

Exploit adapted for a specific PoC on Ubuntu 16.04.01

CVE-2017-16995 tested for Ubuntu 160401 - Linux 440-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 This vulnerability allow a simple user to do a privilege escalation and get a root shell if different kernel adjust CRED offset + check kernel stack size

Writeup for CVE-2017-16995 Linux BPF Local Privilege Escalation

CVE-2017-16995 Writeup The folder containes a line-by-line source code analysis for CVE-2017-16995 (Linux BPF local privilege escalation) Exploit and patch tested on kernel 440116 Credits Special thanks to difeng_tang who has also contributed this writeup Exploit scripts was created by @iBearcat at githubcom/iBearcat/CVE-2017-16995/blob/master/exploitc

My learning notes of CVEs.

LearningFromCVE My learning notes of CVEs CVE-2017-16995: Ubuntu-440-117141 内核提权

CVE-2017-16995(Ubuntu本地提权漏洞)

漏洞描述 Ubuntu是一个以桌面应用为主的开源GNU/Linux操作系统,基于Debian GNU/Linux 。近期有白帽子爆出 ubuntu 的最新版本(Ubuntu 1604)存在本地提权漏洞,漏洞编号为CVE-2017-16995。该漏洞存在于调用eBPF bpf(2)的Linux内核系统中,当用户提供恶意BPF程序使eBPF验证器模块产生计算错误,导致任意

kernel-pwn [+] Some Real-World vulnerability analyse Integer Overflow in BPF CVE-2017-16995 CVE-2017-7184 [+] some kernel PWN challenge I finished CISCN 2017 babydriver 0CTF 2018 final baby QWB 2018 CTF solid_core CSAW-2015-CTF stringipc WCTF 2018 klist *CTF 2019 hackme 0CTF 2018 zer0fs about VFS in linux, Something new for me Vulnerability is simple , bounds memory read and

Anything about kernel security. CTF kernel pwn, kernel exploit, kernel fuzz and kernel defense paper, kernel debugging technique, kernel CVE debug.

Kernel-Security-Learning Anything about kernel security CTF kernel pwn &amp; kernel exploit, kernel fuzz and kernel defense paper &amp; kernel debugging technique &amp; kernel CVE debug Keep updating 1 CTF linux内核漏洞利用初探(1):环境配置 linux内核漏洞利用初探(2):demo-null_dereference linux内核漏洞利用初探(3):de

LES: Linux privilege escalation auditing tool Quick download: wget rawgithubusercontentcom/mzet-/linux-exploit-suggester/master/linux-exploit-suggestersh -O lessh Details about LES usage and inner workings: mzet-githubio/2019/05/10/les-paperhtml Additional resources for the LES: githubcom/mzet-/les-res Purpose LES tool is designed to assist in

Linux privilege escalation auditing tool

LES: Linux privilege escalation auditing tool Quick download: wget rawgithubusercontentcom/mzet-/linux-exploit-suggester/master/linux-exploit-suggestersh -O lessh Details about LES usage and inner workings: mzet-githubio/2019/05/10/les-paperhtml Additional resources for the LES: githubcom/mzet-/les-res Purpose LES tool is designed to assist in

LES: Linux privilege escalation auditing tool Quick download: wget rawgithubusercontentcom/mzet-/linux-exploit-suggester/master/linux-exploit-suggestersh -O lessh Details about LES usage and inner workings: mzet-githubio/2019/05/10/les-paperhtml Additional resources for the LES: githubcom/mzet-/les-res Purpose LES tool is designed to assist in

LES: Linux privilege escalation auditing tool Quick download: wget rawgithubusercontentcom/mzet-/linux-exploit-suggester/master/linux-exploit-suggestersh -O lessh Details about LES usage and inner workings: mzet-githubio/2019/05/10/les-paperhtml Additional resources for the LES: githubcom/mzet-/les-res Purpose LES tool is designed to assist in

My solutions to some CTF challenges and a list of interesting resources about pwning stuff

on-pwning This repository contains my solutions to some CTF challenges and a list of interesting resources about pwning stuff Write-Ups/PoCs 365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools | googleprojectzeroblogspotcom • fuzzing 7zip CVE-2016-2334 HFS+ Code Execution Vulnerability | talosintelligencecom A cache invalidation bug in Li

Write-ups / walkthroughs of 'boot to root' Capture The Flag (CTF) challenges

Boot to root CTFs Walkthroughs and notes of 'boot to root' CTFs mostly from VulnHub that I did for fun I like to use vulnerable VMs from VulnHub (in addition to the ones I create) to organize hands-on penetration testing training sessions for junior security auditors/consultants :-) Classic pentest methodology to do a Boot2root CTF Step 1 - Scanning and enumeratio

Write-ups / walkthroughs of 'boot to root' Capture The Flag (CTF) challenges

Boot to root CTFs Walkthroughs and notes of 'boot to root' CTFs mostly from VulnHub that I did for fun I like to use vulnerable VMs from VulnHub (in addition to the ones I create) to organize hands-on penetration testing training sessions for junior security auditors/consultants :-) Classic pentest methodology to do a Boot2root CTF Step 1 - Scanning and enumeratio

Localroot Compile

Localroot Exploit This repository is a place where Localroot has been compiled and tested Linux Kernel Exploit with Compile #CVE  #Description  #Kernels Linux kernel XFRM Subsystem UAF [3x - 5x kernels] (Ubuntu 1404 / 1604 Server 44 LTS kernels, CentOS 8 418 kernels, Red Hat Enterprise Linux 4 418 kernels, Ubuntu 1804 Server LTS 415 kernels) CVE-2020-72

红方人员作战执行手册

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

Linux kernel EoP exp

linux-kernel-exploits 简介 在github项目:githubcom/SecWiki/linux-kernel-exploits 的基础上增加了最近几年的提权漏洞Exp,漏洞相关信息的搜集在对应漏洞文件夹下的Readmemd。 红队攻击时,可以通过脚本:githubcom/mzet-/linux-exploit-suggester/blob/master/linux-exploit-suggestersh 评估系统可能受到哪些提

红方人员作战执行手册

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits Linux平台提权漏洞集合

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

Localroot-ALL-CVE~

Localroot Collection Linux 2001 // CVE N/A | Sudo prompt overflow in v157 to 165p2 2002 // CVE-2003-0961 | Linux Kernel 2422 - 'do_brk()' Local Privilege Escalation 2003 // CVE-2003-0127 | Linux Kernel 22x/24x (RedHat) - 'ptrace/kmod' Local Privilege Escalation CVE-2003-0961 | Linux Kernel 2422 - 'do_brk()' Local Privilege Es

Not ready yet

Linux Kernel Exploitation Some exploitation methods and techniques are outdated and don't work anymore on newer kernels Pull requests are welcome Books 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Exploitation techniques 2018: "Linux-Kernel-Exploit Stack Smashing" [article] 2018, HitB: "Mirror

A bunch of links related to Linux kernel exploitation

Linux Kernel Exploitation Some exploitation methods and techniques are outdated and don't work anymore on newer kernels Pull requests are welcome Books 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Exploitation techniques 2018: "Linux-Kernel-Exploit Stack Smashing" [article] 2018, HitB: "Mirror

Linux Kernel Exploitation Pull requests are welcome Books 2014: "Android Hacker's Handbook" by Joshua J Drake 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Workshops 2020: "Android Kernel Exploitation" by Ashfaq Ansari [workshop] Exploitation Techniques 2020: "Structures that can be u

Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out current Contents CVE-2011-2856 CVE-2011-3243 CVE-2013-2618 CVE-2013-6632 CVE-2014-1701 CVE-2014-1705 CVE-2014-1747 CVE-2014-3176 CVE-2014-6332 CVE-2014-7927 CVE-2014-7928 CVE-2015-0072 CVE-2015-0235 CVE-2015-0240 CVE-2015-1233 CVE-2015-1242 CVE-2015-1268 CV

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :