Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAP8jf_A2x6qceLjfJa6fHyDLQU4n9cdVm-Wc_V4awKy_zBQ66g@mail.gmail.com>
Date: Tue, 5 Dec 2017 00:11:41 +0000
From: Mohamed Ghannam <simo.ghannam@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-8824 linux: use-after-free in DCCP code

Hi,


This is an announcement for CVE-2017-8824 which is a use-after-free
vulnerability

I found in Linux DCCP socket. It can be used to gain kernel code execution
from unprivileged processes.



You’ll find in attachment the proof of concept code and the kernel panic
log.



#######   BUG DETAILS  ############



When a socket sock object is in DCCP_LISTEN  state and connect() system
call is being called with AF_UNSPEC,

the dccp_disconnect() puts sock state into DCCP_CLOSED, and forgets to free
dccps_hc_rx_ccid/dccps_hc_tx_ccid and assigns NULL to them,

then when we call connect() again with AF_INET6 sockaddr family, the sock
object gets cloned via dccp_create_openreq_child() and returns a new sock
object,

which holds references of dccps_hc_rx_ccid and dccps_hc_tx_ccid of the old
sock object, and this leads to both the old and new sock objects can use
the same memory.



#######   LINKS  ############



http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8824

http://lists.openwall.net/netdev/2017/12/04/224



#######   CREDITS  ############



Mohamed Ghannam

Content of type "text/html" skipped

Download attachment "kasan_report.log" of type "application/octet-stream" (8589 bytes)

View attachment "poc.c" of type "text/x-csrc" (2459 bytes)

Download attachment "rip.log" of type "application/octet-stream" (2861 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.