Google researcher Andrey Konovalov has revealed details of a Linux kernel vulnerability that can be exploited via packet sockets to escalate privileges.
The issue, he explains, is a signedness issue that leads to an exploitable heap-out-of-bounds write. To trigger the bug, one would need to provide “specific parameters to the PACKET_RX_RING option on an AF_PACKET socket with a TPACKET_V3 ring buffer version enabled.”
Tracked as CVE-2017-7308, the vulnerability is created by the fact that the packet_set_ring function in net/packet/af_packet.c in the Linux kernel up to 4.10.6 does not properly validate certain block-size data. Because of that, a local user can cause a denial of service or gain privileges via crafted system calls.
According to Konovalov, the issue was introduced in August 2011, together with the TPACKET_V3 implementation. In August 2014, an attempt was made to resolve the vulnerability by adding more checks, but a proper fix wasn’t released until March 2017.
“The bug affects a kernel if it has AF_PACKET sockets enabled (CONFIG_PACKET=y), which is the case for many Linux kernel distributions. Exploitation requires the CAP_NET_RAW privilege to be able to create such sockets. However it’s possible to do that from a user namespace if they are enabled (CONFIG_USER_NS=y) and accessible to unprivileged users,” the researcher explains.
Packet sockets as a kernel feature are widely used, which results in a large number of popular Linux kernel distributions being impacted, including Ubuntu and Android. A complete list of vulnerable Linux kernel versions is available at SecurityFocus.
While updated Ubuntu kernels are already available, an update for Android won’t arrive until July, the researcher explains. However, he also notes that only some privileged components in the mobile platform have access to AF_PACKET sockets, while untrusted code is blocked from accessing it.
In addition to providing all of the necessary technical details pertaining to the vulnerability and exploit, Konovalov reveals that a way “to fix the overflow is to cast tp_sizeof_priv to uint64 before passing it to BLK_PLUS_PRIV.” He also notes that this is the approach he took in the fix sent upstream.
Creating packet socket requires the CAP_NET_RAW privilege, which can be acquired by unprivileged users inside user namespaces (which create a huge kernel attack surface, resulting in vulnerabilities such as CVE-2017-7184, which was disclosed at Pwn2Own 2017). Completely disabling user namespaces or disallowing using them to unprivileged users can mitigate the issue.
“To disable user namespaces completely you can rebuild your kernel with CONFIG_USER_NS disabled. Restricting user namespaces usage only to privileged users can be done by writing 0 to /proc/sys/kernel/unprivileged_userns_clone in Debian-based kernel. Since version 4.9 the upstream kernel has a similar /proc/sys/user/max_user_namespaces setting,” the researcher says.
Konovalov, who found the bug using the open-source Linux system call fuzzer called syzkaller and dynamic memory error detector KASAN, also published a proof-of-concept local root exploit for the flaw.