
Exploiting the Linux kernel via packet sockets - jgrahamc
https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
======
eyalm
Bottom line - locally exploitable vulnerability in the linux kernel, in case
you have the CAP_NET_RAW capability which never really happens. Not a real
security threat for your standard linux distro.

On the other hand, this is a great technical write-up that describes
thoroughly the internals of some of the linux kernel subsystems. Probably the
best documentation you can find for some subsystems. Also shows how they
bypassed exploit mitigations technics such as KASLR, SMAP&SMEP.

~~~
dohqu8Zi
No.

Create a new user namespace and you have CAP_NET_RAW within your shiny new
namespace.

~~~
d33
That's pretty interesting. Does it mean it allows escaping Docker containers
if you compromise a service ran as root in it?

~~~
dohqu8Zi
No, Docker usually drops CAP_NET_RAW within the container. But you can change
that and other container technologies definitely keep CAP_NET_RAW within the
container.

~~~
wrongmmmm
Not true. CAP_NET_RAW is on by default:
[https://github.com/moby/moby/blob/master/oci/defaults_linux....](https://github.com/moby/moby/blob/master/oci/defaults_linux.go#L62-L77)

Otherwise no one could ping from a container.

~~~
dohqu8Zi
Thanks for the correction.

------
thesz
Is is only me who remembered that [1] piece of parody?

[1] [http://web.mit.edu/adorai/www/seuss-technical-
writing.html](http://web.mit.edu/adorai/www/seuss-technical-writing.html)

------
tener
Great read as usual. They are doing a big service to the people out there by
hunting bugs like this one and putting the pressure on the vendors to fix
their products.

------
fencepost
Someone correct me if I'm wrong:

This is a locally exploitable privilege escalation involving creation of the
socket, triggerable from user level, so exploitable by local users or as a
followup after another exploit is used to get some level of local access,
correct?

~~~
eyalm
Not really. Requires to have the CAP_NET_RAW capability, which is pretty rare.
(This capability allows you raw access to the network interface, which is
usually only given to the root user)

~~~
scarybeast
No. It's exploitable by a normal unprivileged user on modern Ubuntu. From the
article, "Let’s see how we can exploit this vulnerability. I’m going to be
targeting x86-64 Ubuntu 16.04.2 with 4.8.0-41-generic kernel version with
KASLR, SMEP and SMAP enabled. Ubuntu kernel has user namespaces available to
unprivileged users (CONFIG_USER_NS=y and no restrictions on it’s usage), so
the bug can be exploited to gain root privileges by an unprivileged user."

------
est
So are there any Android binaries have CAP_NET_RAW so I can root the device?

~~~
yjftsjthsd-h
Ping?

------
Achshar
I wish I was smart enough for the article. 8 years of web dev doesn't make the
cut unfortunately.

~~~
_jordan
yeah webapps in general are the most simple aspect of programming that you can
get paid to do. Not knocking it though

~~~
yeukhon
(and I can't do any frontend work). Every job has its own difficulties and its
own obstacles.

off-topic, btw, I read tpacket == tptacek. He can easily hide in Linux kernel.
No one noticed, until now.

~~~
schoen
Hey, it's an anagram!

I believe that the serial device /dev/ttyS0 was named in honor of Theodore
Ts'o. So maybe tpacket could be at least retroactively declared to honor
tptacek.

------
lowbloodsugar
Such great education material.

------
googsh0tz
You know, like I said the intel thing.

~~~
AnimalMuppet
I don't think this is related to the Intel thing at all. It's not technically
related, and it's not related in terms of severity.

~~~
dom0
Either has headlines made of words, so that's something.

