10

Today emerged report about another serious vulnerability in opensource world, CVE-2016-0728. It is local privilege escalation in Linux kernel 3.8+.

What are the the possible real-world exploitation, consequences and possibilities to mitigate (except patching kernel)?

Thoughts/Related:

  • Related question about Docker has also interesting thoughts. You might be able to break out of container!
Community
  • 1
Jakuje
  • 5,229
  • 16
  • 31
  • The link you mention talks about it - is there something in the link that does not answer your question? Malware on Linux or Android could gain root access. – schroeder Jan 19 '16 at 22:11
  • Yes, the link describes it quite good in detail from below as a research papers usually do. Malware is a good example, same as software from unknown sources. Also I was wondering about the effect of SELinux, AppArmor or other security modules used nowadays. – Jakuje Jan 19 '16 at 22:22
  • The authors say they will post about all that later on, and how they got around those protections. I think this question is premature. – schroeder Jan 19 '16 at 22:38
  • Has anybody heard about successful exploitation of this vulnerability? I mean except the original reporters? – Vladimir Kunschikov Jan 20 '16 at 13:35
  • 1
    @VladimirKunschikov I didn't see any. Before I updated, I left the code running for some time, until it ran out of memory and froze my whole system. Also people from reddit didn't report success as I was checking last time. – Jakuje Jan 20 '16 at 18:38

1 Answers1

3

You could try the exploit directly on any given host and determine your own level-of risk. My initial thought is that even on Android, many kernels have SMEP/SMAP enabled, thus preventing the canned exploit code above. One would need to rewrite the exploit with ROP or use a similar SMEP/SMAP bypass technique. (Update 2016/Feb/06 -- Collin R. Mulliner discusses on his blog why most Android devices are not affected)

Because this is a counter-wrapping flaw, this bug has some starting and counting problems that must also be overcome, which the PoC exploit in my first sentence does not take into account.

atdre
  • 18,885
  • 6
  • 58
  • 107
  • SMEP/SMAP require hardware support to be present, no? – leoluk Jan 20 '16 at 09:52
  • @leoluk: yes, but even ARM processors (and most server-based Intel ones) include this sort of support. – atdre Jan 20 '16 at 16:40
  • 1
    Most Android systems do not have SMEP and SMAP. Android typically runs on the ARM architecture, and ARM has PXN and PAN (Privileged eXecute Never and Privileged Access Never, respectively) which are similar, though slightly more secure (as PAN also hides information about the page table, like PaX's segmentation-based UDEREF). It's important to remember that SMEP and SMAP are not the names of a class of processor features, but a specific trademarked implementation by Intel. – forest Mar 17 '18 at 05:19