Re: CVE request - Linux kernel through 4.6.2 allows escalade privileges via IP6T_SO_SET_REPLACE compat setsockopt call

[Vitaly Nikolenko <vnik5287 () gmail com>]

Wasn't this already covered by CVE-2016-4997? There's a public exploit

https://www.exploit-db.com/exploits/40049/

I'm assuming for IPv6 this would be exactly the same except for
changing the setsockopt optname from IPT_SO_SET_REPLACE to
IP6T_SO_SET_REPLACE. The code path for IPv6 looks almost identical
unless I'm missing something?

Commit ce683e5f9d045e5d67d1312a42b359cb2ab2a13c included fixes for
ARP, IP and IPv6 and my assumption was that CVE-2016-4997 covered all
of them.

--
Vitaly

On 29 September 2016 at 23:45, Greg KH <greg () kroah com> wrote:
> On Thu, Sep 29, 2016 at 07:43:35AM +0000, 张谦 wrote:
> > Hi there,
> >
> > I found a memory corruption vulnerabiliry in Linux kernel through 4.6.2, and I
> > have a working exploit to escalade privileges which requires the ip6_tables
> > module to be loaded, that it is properly blocked on all up-to-date versions.
> >
> > Due to the number of users running vulnerable code(not update to 4.7 or
> > higher), and that this exploit is only available to security researchers and
> > kernel packagers upon request but that I don't want it to spread.
> >
> >
> >
> > I have reported this issue to Linux kernel official and they have already fixed
> > this.
>
> Note, this was fixed many months ago, in May of 2016, and went into the
> stable kernel updates in June, 2016.  Any distro that updated to the
> stable kernel updates received this fix then.
>
> Any distro that hasn't updated their kernel since then, well, you need
> to revaluate your trust of such a distro :)
>
> thanks,
>
> greg k-h