Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2016-0728 PoC — Linux kernel 安全漏洞

Source
https://github.com/sugarvillela/CVE
Associated Vulnerability
Title:Linux kernel 安全漏洞 (CVE-2016-0728)
Description:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 4.4.1之前版本存在安全漏洞,该漏洞源于security/keys/process_keys.c中的join_session_keyring函数在某种错误情况下错误处理对象引用,从而导致本地用户获得权限或导致拒绝服务。
Description
A collection of code pertaining to CVE-2016-0728 (various authors)
Readme
# cve: A collection of code pertaining to CVE-2016-0728 (various authors)
* Excerpts from Linux, showing the evolution and fix of the bug
* Exploit code from Perception Point with added comments that explain what each line does.
* A short script that uses the leak to increment usage count, useful for determining whether the bug exists on your system.
* A version of the exploit that bypasses the syscall wrappers (for systems that don't implement the keycntl wrappers).
* The first emergency patch from January 2016
* The best way to duplicate this exploit is to find an affected version of a Linux build, Listed below. ISO's may contain back-ported patches, so you need to download the source code and compile it yourself.
* Running the exploit on a modern version of Ubuntu (edited to retain the bug) gave strange results.  I wrote test.c to track it, outputting to the keylog file. The program runs independently of the exploit, using nanosleep to control sample frequency. keylog is the output from running at 500 nanosecond period for about 1/2 second.
* Interpreting the keylog file:  The number on left is the iteration number.  It outputs a value when the slope changes. tState counts how many iterations since the slope last changed.  It is completely random and not worth studying.
* For this test there was unpredictable output and no integer overflow, which means the exploit fails on a modern version, edited or not. Instead, compile a version from the list.

# Affected Versions
* Red Hat Enterprise Linux 7
* CentOS Linux 7
* Scientific Linux 7
* Debian Linux stable 8.x (jessie)
* Debian Linux testing 9.x (stretch)
* SUSE Linux Enterprise Desktop 12
* SUSE Linux Enterprise Desktop 12 SP1
* SUSE Linux Enterprise Server 12
* SUSE Linux Enterprise Server 12 SP1
* SUSE Linux Enterprise Workstation Extension 12
* SUSE Linux Enterprise Workstation Extension 12 SP1
* Ubuntu Linux 14.04 LTS (Trusty Tahr)
* Ubuntu Linux 15.04 (Vivid Vervet)
* Ubuntu Linux 15.10 (Wily Werewolf)
* Opensuse Linux LEAP 42.x and version 13.x
* Oracle Linux 7
File Snapshot

 [4.0K]  /data/pocs/bf0308c022a14fc032dbbbb6e24fa5e1df842dc9
├── [4.2K]  andr.c
├── [2.4K]  bandaid.c
├── [8.4K]  evolution_of_bug.c
├── [8.6K]  expl.c
├── [5.5K]  keylog
├── [ 908]  leak.c
├── [2.0K]  README.md
└── [3.2K]  test.c

0 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.