4.6
CVSSv2

CVE-2017-5123

Published: 02/11/2021 Updated: 23/12/2021
CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9
CVSS v3 Base Score: 8.8 | Impact Score: 6 | Exploitability Score: 2
VMScore: 484
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

It exists that when the waitid() syscall in Linux kernel v4.13 was refactored, it accidentally stopped checking that the incoming argument was pointing to userspace. This allowed local malicious users to write directly to kernel memory, which could lead to privilege escalation.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

linux linux kernel

Vendor Advisories

Arch Linux Security Advisory ASA-201710-26 ========================================== Severity: High Date : 2017-10-17 CVE-ID : CVE-2017-5123 Package : linux Type : privilege escalation Remote : No Link : securityarchlinuxorg/AVG-444 Summary ======= The package linux before version 4137-1 is vulnerable to privilege escalat ...
Impact: Important Public Date: 2017-10-12 CWE: CWE-391 Bugzilla: 1500094: CVE-2017-5123 kernel: Missing ...
Arch Linux Security Advisory ASA-201710-24 ========================================== Severity: High Date : 2017-10-16 CVE-ID : CVE-2017-5123 Package : linux-zen Type : privilege escalation Remote : No Link : securityarchlinuxorg/AVG-445 Summary ======= The package linux-zen before version 4137-1 is vulnerable to privilege ...
Arch Linux Security Advisory ASA-201710-25 ========================================== Severity: High Date : 2017-10-16 CVE-ID : CVE-2017-5123 Package : linux-hardened Type : privilege escalation Remote : No Link : securityarchlinuxorg/AVG-446 Summary ======= The package linux-hardened before version 4137a-1 is vulnerable ...
It was discovered that when the waitid() syscall in Linux kernel v413 was refactored, it accidentally stopped checking that the incoming argument was pointing to userspace This allowed local attackers to write directly to kernel memory, which could lead to privilege escalation ...

Exploits

#define _GNU_SOURCE #include <stdioh> #include <stdlibh> #include <unistdh> #include <sys/typesh> #include <sys/waith> #include <sys/mmanh> #include <stringh> struct cred; struct task_struct; typedef struct cred *(*prepare_kernel_cred_t) (struct task_struct *daemon) __attribute__((regparm(3))); t ...
// Proof of concept exploit for waitid bug introduced in Linux Kernel 413 // By Chris Salls (twittercom/chris_salls) // This exploit can be used to break out out of sandboxes such as that in google chrome // In this proof of concept we install the seccomp filter from chrome as well as a chroot, // then break out of those and get root // Bypasses ...

Github Repositories

Source code and configuration files related to our article in MISC96

Exploiting CVE-2017-5123 Introduction This repository is an addition to the article published in MISC Magazine #96 We achieved to elevate our privileges in a reliable way, on our virtual machine with SMEP / SMAP and KASLR enabled It should however be noted that the system if left in an unstable state and that a oops is very likely to occur Contents of this repository In the

linux kernel exploit

CVE-2017-5123 Linux privilege escalation exploiting waitid syscall The exploit is brought to you by @XeR_0x2A and @chaign_c from HexpressoTeam for educational purposes only The bug was introduced the 2017-05-21 and fixed 2017-10-09, 4140-rc4+ is known vulnerable If you have a beginner/intermediate exploit writer level, we encourage you to exploit it yourself before readi

Exploit for the linux kernel vulnerability CVE-2017-5123

CVE-2017-5123 Exploit for the kernel vulnerability CVE-2017-5123 You can compile it with: gcc -static -Wall -Wextra -Werror -o cve20175123 CVE-2017-5123c If you want further explanation, I've wrote an article explaining how it's work, you can find it here This exploit is more reliable than the previous published by hexpresso, but it's still not perfect, he won&#

Source code and configuration files related to our article in MISC96

Exploiting CVE-2017-5123 Introduction This repository is an addition to the article published in MISC Magazine #96 We achieved to elevate our privileges in a reliable way, on our virtual machine with SMEP / SMAP and KASLR enabled It should however be noted that the system if left in an unstable state and that a oops is very likely to occur Contents of this repository In the

Resources for CloudNative security research

Cloud Native Security Resources for Cloud Native Security Research, such as Docker, Kubernetes, etc Pull request welcome Intro 2020:"Cloud Native Security: Container Security Practice" by Pray3r - article, CN Series of articles: Exploring Container Security by Google - articles Kernel and architecture Namespaces in operation by Michael Kerrisk - whitepaper Control g

Microservices & Container Security Table of Contents Foundations Specifications Clouds Operating Systems Hypervisors Containers Sandboxes Partial Access Filesystem Dashboard Best practices Security Tools Links Levels of security problems Technologies for security Another Information Sources Container Security Image Build Management Networking/Runtime Security profi

README Note: The code in this repo is to demo the isolation of secure pod sandbox technologies such as kata containers and does not intend to attack any platforms How to re-produce Get linux kernel 4130 patch 0001-CVE-2017-5123-help-to-make-attack-safelypatch Build Linux kernel with config Kconfig Boot kernel and get address of dac_mmap_min_addr, have_canfork_callback, p

container-privilege-escalation This repository has the sources and utilities required to exploit the CVE-2017-5123 vulnerability which affected Linux kernel 413 A more detailed explanation of the exploit can be found on other websites such as and We will use Ubuntu 1604 for this exploit Compile and install vulnerable Linux kernel We need to first compile and install

Cloud Native Security Resources for Cloud Native Security Research, such as Docker, Kubernetes, etc Pull request welcome Intro 2020:"Cloud Native Security: Container Security Practice" by Pray3r - article, CN Series of articles: Exploring Container Security by Google - articles Kernel and architecture Namespaces in operation by Michael Kerrisk - whitepaper Control g

PoC CVE-2017-5123 - LPE - Bypassing SMEP/SMAP. No KASLR

CVE-2017-5123 PoC CVE-2017-5123 - LPE - Bypassing SMEP/SMAP No KASLR The waitid implementation in upstream kernels did not restrict the target destination to copy information results This can allow local users to write to otherwise protected kernel memory, which can lead to privilege escalation Introduction In this little writeup, I will analyze a kernel vulnerability that

Awesome list of resources related to container security

awesome-container-security A collection of container related security resources Image Build Management Networking/Runtime Security profiles Exploits Honeypots Presentations/Posts Image Deepfence Runtime Threat Mapper Identify vulnerabilities in running containers, images, hosts and repositories Dagda Static image analysis tool Port Authority Open Source

[ KASLD ] Kernel Address Space Layout Derandomization - A collection of various techniques to bypass Linux Kernel Address Space Layout Randomization (KASLR) and retrieve the kernel base virtual address on x86 / x86_64 architectures as an unprivileged local user.

[ KASLD ] Kernel Address Space Layout Derandomization A collection of various techniques to bypass Linux Kernel Address Space Layout Randomization (KASLR) and retrieve the kernel base virtual address on x86 / x86_64 architectures as an unprivileged local user The code is structed for easy re-use; however, leaked addresses may need to be bit masked appropriately for the target

My solutions to some CTF challenges and a list of interesting resources about pwning stuff

on-pwning This repository contains my solutions to some CTF challenges and a list of interesting resources about pwning stuff Write-Ups/PoCs 365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools | googleprojectzeroblogspotcom • fuzzing 7zip CVE-2016-2334 HFS+ Code Execution Vulnerability | talosintelligencecom A cache invalidation bug in Li

share some useful archives about vm and qemu escape exploit.

awesome-vm-exploit Sharing some useful archives about vm and qemu escape exploit I want to collect what I can find Also be welcome to provide me with issues In computer security, virtual machine escape is the process of breaking out of a virtual machine and interacting with the host operating system VMware Writeup and Exploit VMware Escape Exploit - CVE-2017-4901 利用

keep togheter all the forked repo's regarding CVE or PoC

CVE-PoC-collection keep together all the forked repo regarding the CVE and PoC PoC Exploit Code for CVE-2014-6324 (Kerberos exploit MS14-068) forked from githubcom/mubix/pykek PoC Exploit Code for CVE-2016-1764 Recovery of Plaintext iMessage Data Without Breaking Crypto forked from githubcom/BishopFox/cve-2016-1764 PoC Exploit Code for CVE-2017-0199 to test Mi

Kernel-Security

Kernel Driver mmap Handler Exploitation Windows内核池喷射的乐趣 cve-2016-6187-heap-off-by-one-exploit Exploiting on CVE-2016-6787 Linux内核漏洞CVE-2016-0728的分析与利用 潜伏11年的Linux内核提权漏洞曝光 CVE-2017-5123 Linux kernel v413 (Disable SELinux) Exploiting Windows 10 Kernel Drivers - Stack Overflow Making something out of Zeros: Alternative

看雪iOS安全小组的翻译团队作品集合,如有勘误,欢迎斧正!

OSG-macOS/iOS Security Group Translation Team 看雪iOS安全小组的翻译团队作品合集,如有勘误/瑕疵/拗口/偏颇,欢迎斧正! 看雪iOS安全小组置顶向导资源集合贴: [逆向][调试][漏洞][越狱]:bbspediycom/showthreadphp?t=212685 翻译团队 维护by:yaren (看雪ID:西海) 编号 文章 来源网址 翻译 得

exploit about privillige CVE list reproduce the vulnerabilities successfully CVE-2019-14287 sudo CVE-2019-14287 CVE-2016-5195 dirtycow CVE-2015-1328 CVE-2015-8660 overlayfs CVE-2017-0359 ntfs-3g local privilege escalation to root CVE-2016-8655 'AF_PACKET' Race Condition Privilege Escalation, chocobo_root cannot reproduce the vulnerabilities CVE-2016-0728 REFCOUNT O

kernelpop kernelpop is a framework for performing automated kernel exploit enumeration on Linux, Mac, and Windows hosts example of enumeration to root NOTE: Since it seems like this project is getting some clones / views, I should say this is a work in progress I'm taking class and working fulltime so getting programming time is sporadic That said, I am actively maint

kernel privilege escalation enumeration and exploitation framework

kernelpop kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation on the following operating systems: Linux Mac It is designed to be python version-agnostic, meaning that it should work with both python2 and python3 please let me know if you find that it doesn't example of enumeration to root (Linux) ways to use run

Awesome Cloud Native Security This repository is used to collect AWESOME resources on the topic of cloud native security found during research Note: All resources will be suffixed and ordered by date of conferences, blogs or other formats of publication, if applicable Resources in sub-list are related to their parent entries For simplicity, resources would NOT be duplicat

Awesome Cloud Native Security This repository is used to collect AWESOME resources on the topic of cloud native security found during research Note: All resources will be suffixed and ordered by date of conferences, blogs or other formats of publication, if applicable Resources in sub-list are related to their parent entries For simplicity, resources would NOT be duplicat

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

Linux kernel EoP exp

linux-kernel-exploits 简介 在github项目:githubcom/SecWiki/linux-kernel-exploits 的基础上增加了最近几年的提权漏洞Exp,漏洞相关信息的搜集在对应漏洞文件夹下的Readmemd。 红队攻击时,可以通过脚本:githubcom/mzet-/linux-exploit-suggester/blob/master/linux-exploit-suggestersh 评估系统可能受到哪些提

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

What's this This project is mainly used to collect the exp for Linux platform privilege promotion, only to help penetration testers quickly achieve privilege promotion in actual combat Information CVE ID Description Kernels CVE-2004-0077 Linux Kernel 2420, 2224, 2425, 2426, 2427 CVE-2004-1235 Linux Kernel 2429 CVE-2005-0736 Linux Kernel 265, 267,

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

Localroot-ALL-CVE~

Localroot Collection Linux 2001 // CVE N/A | Sudo prompt overflow in v157 to 165p2 2002 // CVE-2003-0961 | Linux Kernel 2422 - 'do_brk()' Local Privilege Escalation 2003 // CVE-2003-0127 | Linux Kernel 22x/24x (RedHat) - 'ptrace/kmod' Local Privilege Escalation CVE-2003-0961 | Linux Kernel 2422 - 'do_brk()' Local Privilege Es

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits Linux平台提权漏洞集合

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc <= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

Linux Elevation(持续更新)

Linux Elvation This project is for Linux Elvation Vulnerable list #CVE  #Description  #Kernels CVE-2021-3156[Sudo 182 - 1831p2 Sudo 190 - 195p1] CVE-2020-9470[Wing FTP Server 625 - Privilege Escalation] CVE-2020-8635[Wing FTP Server 623 - Privilege Escalation] CVE-2020-8835[Linux Kernel 54 or Linux Kernel 54] CVE-2019-7304 [2342ubuntu01 or 23

Linux Elevation(持续更新)

Linux Elvation This project is for Linux Elvation Vulnerable list #CVE  #Description  #Kernels CVE-2020-9470[Wing FTP Server 625 - Privilege Escalation] CVE-2020-8635[Wing FTP Server 623 - Privilege Escalation] CVE-2020-8835[Linux Kernel 54 or Linux Kernel 54] CVE-2019-7304 [2342ubuntu01 or 2355+18101] CVE-2019-13272 [Linux kernel before 5117]

What's this This project is mainly used to collect the exp for Linux platform privilege promotion, only to help penetration testers quickly achieve privilege promotion in actual combat Information CVE ID Description Kernels CVE-2004-0077 Linux Kernel 2420, 2224, 2425, 2426, 2427 CVE-2004-1235 Linux Kernel 2429 CVE-2005-0736 Linux Kernel 265, 267,

Not ready yet

Linux Kernel Exploitation Some exploitation methods and techniques are outdated and don't work anymore on newer kernels Pull requests are welcome Books 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Exploitation techniques 2018: "Linux-Kernel-Exploit Stack Smashing" [article] 2018, HitB: "Mirror

Linux Kernel Exploitation Pull requests are welcome Books 2014: "Android Hacker's Handbook" by Joshua J Drake 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Workshops 2020: "Android Kernel Exploitation" by Ashfaq Ansari [workshop] Exploitation Techniques 2020: "Structures that can be u

A bunch of links related to Linux kernel exploitation

Linux Kernel Exploitation Some exploitation methods and techniques are outdated and don't work anymore on newer kernels Pull requests are welcome Books 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Exploitation techniques 2018: "Linux-Kernel-Exploit Stack Smashing" [article] 2018, HitB: "Mirror

linux-kernel-exploitation Books 2014: "Android Hacker's Handbook" by Joshua J Drake 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Workshops 2020: "pwncollege: Module: Kernel Security" [workshop] 2020: "Android Kernel Exploitation" by Ashfaq Ansari [workshop] Exploitation Techniqu

2020年发布到阿尔法实验室微信公众号的所有安全资讯汇总

欢迎关注阿尔法实验室微信公众号 20201231 [漏洞] 2020年增加的10个最严重的CVE blogdetectifycom/2020/12/30/top-10-critical-cves-added-in-2020/ Chromium RawClipboardHostImpl中的UAF漏洞 bugschromiumorg/p/chromium/issues/detail?id=1101509 [工具] Sarenka:OSINT工具,将来自shodan、censys等服务的数据集中在一处

PoC auto collect from GitHub.

PoC in GitHub 2020 CVE-2020-0022 In reassemble_and_dispatch of packet_fragmentercc, there is possible out of bounds write due to an incorrect bounds calculation This could lead to remote code execution over Bluetooth with no additional execution privileges needed User interaction is not needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Andr

Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out current Contents CVE-2011-2856 CVE-2011-3243 CVE-2013-2618 CVE-2013-6632 CVE-2014-1701 CVE-2014-1705 CVE-2014-1747 CVE-2014-3176 CVE-2014-6332 CVE-2014-7927 CVE-2014-7928 CVE-2015-0072 CVE-2015-0235 CVE-2015-0240 CVE-2015-1233 CVE-2015-1242 CVE-2015-1268 CV

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

LKRG: Linux to Get a Loadable Kernel Module for Runtime Integrity Checking
BleepingComputer • Catalin Cimpanu • 04 Feb 2018

Members of the open source community are working on a new security-focused project for the Linux kernel. Named Linux Kernel Runtime Guard (LKRG), this is a loadable kernel module that will perform runtime integrity checking of the Linux kernel.
Its purpose is to detect exploitation attempts for known and unknwon security vulnerabilities against the Linux kernel and attempt to block attacks.
LKRG will also detect privilege escalation for running processes, and kill the running process...