NA

CVE-2017-5123

Vulnerability Summary

It exists that when the waitid() syscall in Linux kernel v4.13 was refactored, it accidentally stopped checking that the incoming argument was pointing to userspace. This allowed local malicious users to write directly to kernel memory, which could lead to privilege escalation.

Vulnerability Trend

Vendor Advisories

Impact: Important Public Date: 2017-10-12 CWE: CWE-391 Bugzilla: 1500094: CVE-2017-5123 kernel: Missing ...
Arch Linux Security Advisory ASA-201710-26 ========================================== Severity: High Date : 2017-10-17 CVE-ID : CVE-2017-5123 Package : linux Type : privilege escalation Remote : No Link : securityarchlinuxorg/AVG-444 Summary ======= The package linux before version 4137-1 is vulnerable to privilege escalat ...
Arch Linux Security Advisory ASA-201710-25 ========================================== Severity: High Date : 2017-10-16 CVE-ID : CVE-2017-5123 Package : linux-hardened Type : privilege escalation Remote : No Link : securityarchlinuxorg/AVG-446 Summary ======= The package linux-hardened before version 4137a-1 is vulnerable ...
Arch Linux Security Advisory ASA-201710-24 ========================================== Severity: High Date : 2017-10-16 CVE-ID : CVE-2017-5123 Package : linux-zen Type : privilege escalation Remote : No Link : securityarchlinuxorg/AVG-445 Summary ======= The package linux-zen before version 4137-1 is vulnerable to privilege ...
It was discovered that when the waitid() syscall in Linux kernel v413 was refactored, it accidentally stopped checking that the incoming argument was pointing to userspace This allowed local attackers to write directly to kernel memory, which could lead to privilege escalation ...

Exploits

#define _GNU_SOURCE #include <stdioh> #include <stdlibh> #include <unistdh> #include <sys/typesh> #include <sys/waith> #include <sys/mmanh> #include <stringh> struct cred; struct task_struct; typedef struct cred *(*prepare_kernel_cred_t) (struct task_struct *daemon) __attribute__((regparm(3))); t ...
// Proof of concept exploit for waitid bug introduced in Linux Kernel 413 // By Chris Salls (twittercom/chris_salls) // This exploit can be used to break out out of sandboxes such as that in google chrome // In this proof of concept we install the seccomp filter from chrome as well as a chroot, // then break out of those and get root // Bypasses ...

Github Repositories

CVE-2017-5123 Exploit for the kernel vulnerability CVE-2017-5123 You can compile it with: gcc -static -Wall -Wextra -Werror -o cve20175123 CVE-2017-5123c If you want further explanation, I've wrote an article explaining how it's work, you can find it here This exploit is more reliable than the previous published by hexpresso, but it's still not perfect, he won&#

Exploiting CVE-2017-5123 Introduction This repository is an addition to the article published in MISC Magazine #96 We achieved to elevate our privileges in a reliable way, on our virtual machine with SMEP / SMAP and KASLR enabled It should however be noted that the system if left in an unstable state and that a oops is very likely to occur Contents of this repository In the

README Note: The code in this repo is to demo the isolation of secure pod sandbox technologies such as kata containers and does not intend to attack any platforms How to re-produce Get linux kernel 4130 patch 0001-CVE-2017-5123-help-to-make-attack-safelypatch Build Linux kernel with config Kconfig Boot kernel and get address of dac_mmap_min_addr, have_canfork_callback, p

CVE

CVE-2017-5123 Linux privilege escalation exploiting waitid syscall The exploit is brought to you by @XeR_0x2A and @chaign_c from HexpressoTeam for educational purposes only The bug was introduced the 2017-05-21 and fixed 2017-10-09, 4140-rc4+ is known vulnerable If you have a beginner/intermediate exploit writer level, we encourage you to exploit it yourself before readi

Exploiting CVE-2017-5123 Introduction This repository is an addition to the article published in MISC Magazine #96 We achieved to elevate our privileges in a reliable way, on our virtual machine with SMEP / SMAP and KASLR enabled It should however be noted that the system if left in an unstable state and that a oops is very likely to occur Contents of this repository In the

README Note: The code in this repo is to demo the isolation of secure pod sandbox technologies such as kata containers and does not intend to attack any platforms How to re-produce Get linux kernel 4130 patch 0001-CVE-2017-5123-help-to-make-attack-safelypatch Build Linux kernel with config Kconfig Boot kernel and get address of dac_mmap_min_addr, have_canfork_callback, p

CVE

container-security Resources for container security research, such as Docker, Kubernetes, etc Kernel and architecture Namespaces in operation by Michael Kerrisk - whitepaper Control groups series by Neil Brown - whitepaper 2018, KubeCon, CloudNativeCon:"Container Isolation at Scale (Introducing gVisor) by Dawn Chen and Zhengyu He" - slide - video 2018:"A history

Resources Collection of resources for my preparation to take the OSEE certification Based on the syllabus from Offensive Security Browser Exploitation Safari/Chrome/Webkit Exploiting a Safari information leak by Bruno Keith Attacking Client-Side JIT Compilers by Samuel Groß Exploiting Logic Bugs in JavaScript JIT Engines by Samuel Groß Bypass and Sandbox

CVE-PoC-collection keep together all the forked repo regarding the CVE and PoC PoC Exploit Code for CVE-2014-6324 (Kerberos exploit MS14-068) forked from githubcom/mubix/pykek PoC Exploit Code for CVE-2016-1764 Recovery of Plaintext iMessage Data Without Breaking Crypto forked from githubcom/BishopFox/cve-2016-1764 PoC Exploit Code for CVE-2017-0199 to test Mi

awesome-container-security A collection of container related security resources Image Build Management Networking/Runtime Security profiles Exploits Honeypots Presentations/Posts Image Dagda Static image analysis tool Port Authority Open Source Security Scanner for Docker Getting started guide Source Understanding and Hardening Linux Containers The &quo

on-pwning This repository contains my solutions to some CTF challenges and a list of interesting resources about pwning stuff Write-Ups/PoCs 365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools | googleprojectzeroblogspotcom • fuzzing 7zip CVE-2016-2334 HFS+ Code Execution Vulnerability | talosintelligencecom A cache invalidation bug in Li

awesome-vm-exploit Sharing some useful archives about vm and qemu escape exploit I want to collect what I can find Also be welcome to provide me with issues In computer security, virtual machine escape is the process of breaking out of a virtual machine and interacting with the host operating system VMware Writeup and Exploit VMware Escape Exploit - CVE-2017-4901 利用一

OSG-macOS/iOS Security Group Translation Team 看雪iOS安全小组的翻译团队作品合集,如有勘误/瑕疵/拗口/偏颇,欢迎斧正! 看雪iOS安全小组置顶向导资源集合贴: [逆向][调试][漏洞][越狱]:bbspediycom/showthreadphp?t=212685 翻译团队 维护by:yaren (看雪ID:西海) 编号 文章 来源网址 翻译 得

Kernel Driver mmap Handler Exploitation Windows内核池喷射的乐趣 cve-2016-6187-heap-off-by-one-exploit Exploiting on CVE-2016-6787 Linux内核漏洞CVE-2016-0728的分析与利用 潜伏11年的Linux内核提权漏洞曝光 CVE-2017-5123 Linux kernel v413 (Disable SELinux) Exploiting Windows 10 Kernel Drivers - Stack Overflow Making something out of Zeros: Alternative

exploit about privillige CVE list reproduce the vulnerabilities successfully CVE-2016-5195 dirtycow CVE-2015-1328 CVE-2015-8660 overlayfs CVE-2017-0359 ntfs-3g local privilege escalation to root CVE-2016-8655 'AF_PACKET' Race Condition Privilege Escalation, chocobo_root cannot reproduce the vulnerabilities CVE-2016-0728 REFCOUNT Overflow/Use-After-Free in Keyrings

kernelpop kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation on the following operating systems: Linux Mac It is designed to be python version-agnostic, meaning that it should work with both python2 and python3 please let me know if you find that it doesn't example of enumeration to root (Linux) ways to use run

kernelpop kernelpop is a framework for performing automated kernel exploit enumeration on Linux, Mac, and Windows hosts example of enumeration to root NOTE: Since it seems like this project is getting some clones / views, I should say this is a work in progress I'm taking class and working fulltime so getting programming time is sporadic That said, I am actively maint

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

Linux-Kernel-Exploit #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kernel before 414 - 44) CVE-2017-16939  

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

Linux Kernel Exploitation Pull requests are welcome Books 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Exploitation techniques 2019: "Leak kernel pointer by exploiting uninitialized uses in Linux kernel" by Jinbum Park [slides] 2018: "Linux Kernel universal heap spray" by Vitaly Nikolenko [arti

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

Linux Kernel Exploitation Some exploitation methods and techniques are outdated and don't work anymore on newer kernels Pull requests are welcome Books 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Exploitation techniques 2018: "Linux-Kernel-Exploit Stack Smashing" [article] 2018, HitB: "Mirror

Linux Kernel Exploitation Some exploitation methods and techniques are outdated and don't work anymore on newer kernels Pull requests are welcome Books 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Exploitation techniques 2018: "Linux-Kernel-Exploit Stack Smashing" [article] 2018, HitB: "Mirror

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

LKRG: Linux to Get a Loadable Kernel Module for Runtime Integrity Checking
BleepingComputer • Catalin Cimpanu • 04 Feb 2018

Members of the open source community are working on a new security-focused project for the Linux kernel. Named Linux Kernel Runtime Guard (LKRG), this is a loadable kernel module that will perform runtime integrity checking of the Linux kernel.
Its purpose is to detect exploitation attempts for known and unknwon security vulnerabilities against the Linux kernel and attempt to block attacks.
LKRG will also detect privilege escalation for running processes, and kill the running process...