Tag Archives: Linux

CVE-2015-7547 glibc getaddrinfo stack-based buffer overflow PoC

Timeline :

Vulnerability introduced in May 2008 as part of glibc 2.9
Vulnerability discovered and reported to the vendor by Robert Holiday the 2015-07-13
Vulnerability fixing in sleep mode from 2015-08-22 to 2016-02
Vulnerability re-discovered and reported to the vendor by Google team the beginning of 2016
Patch provided the 2016-02-16
Details of the vulnerability and PoC provided by Google the 2016-02-16

PoC provided by :

Robert Holiday
Fermin J. Serna
Gynvael Coldwind
Thomas Garnier

Reference(s) :

CVE-2015-7547

Affected version(s) :

All versions of glibc 2.9 until version 2.23

Tested on :

Ubuntu 15.10 with glibc 2.21

Description :

A stack-based buffer overflow was found in libresolv when invoked from libnss_dns, allowing specially crafted DNS responses to seize control of execution flow in the DNS client.  The buffer overflow occurs in the functions send_dg (send datagram) and send_vc (send TCP) for the NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC family. The use of AF_UNSPEC triggers the low-level resolver code to send out two parallel queries for A and AAAA.  A mismanagement of the buffers used for those queries could result in the response of a query writing beyond the alloca allocated buffer created by_nss_dns_gethostbyname4_r.  Buffer management is simplified to remove the overflow.  Thanks to the Google Security Team and Red Hat for reporting the security impact of this issue, and Robert Holiday of Ciena for reporting the related bug 18665. (CVE-2015-7547)

Commands :

aptitude show libc6
cat /etc/lsb-release
change you resolv.conf to 127.0.0.1
make
Start the server: python CVE-2015-7547-poc.py 
Launch the client: ./CVE-2015-7547-client

CVE-2015-8660 Linux Kernel OverLay Fail

Timeline :

Vulnerability discovered by Nathan Williams and reported to vendor
Patched by the vendor the 2015-12-04
Advisory release the 2015-12-28
PoC provided by rebel the 2015-01-06

PoC provided by :

rebel

Reference(s) :

CVE-2015-8660

Affected version(s) :

Linux kernel through 4.3.3

Tested on :

Ubuntu Server 64-bit 15.10 with python installed

Description :

The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.

Commands :

gcc -o CVE-2015-8660 CVE-2015-8660.c
id
./CVE-2015-8660
id

CVE-2013-1763 SOCK_DIAG vulnerability in Linux kernel 3.3 to 3.8 Demo

Timeline :

Vulnerability discovered and reported to the vendor by Mathias Krause the 2013-02-23
PoC provided the 2013-02-25

PoC provided by :

Mathias Krause
SynQ

Reference(s) :

CVE-2013-1763

Affected version(s) :

Linux Kernel 3.3 to 3.8

Tested on Ubuntu 12.10 x86 with :

Kernel 3.5.0-17-generic

Description :

Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX — the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation.

Commands :

id
gcc -o CVE-2013-1763 CVE-2013-1763.c
./CVE-2013-1763 Ubuntu
id

Year 2012 Main Exploitable Vulnerabilities Interactive Timeline

You can find, by clicking on the following image, a visualization timeline of the main exploitable vulnerabilities of year 2012.

Start date of a slide is corresponding to:

  • the date of discovery of the vulnerability, or
  • the date of report to the vendor, or
  • the date of public release of the vulnerability

End date of a slide is corresponding to:

  • the date of vendor security alert notification, or
  • the date of Metasploit integration, or
  • the date of fix, or
  • the date of PoC disclosure
Year 2012 Main Exploitable Vulnerabilities Interactive Timeline
Year 2012 Main Exploitable Vulnerabilities Interactive Timeline