Vigil@nce - Linux kernel: memory corruption via IPT_SO_SET_REPLACE
May 2016 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker with CONFIG_USER_NS can generate a memory
corruption via the IPT_SO_SET_REPLACE option of the Linux kernel,
in order to trigger a denial of service, and possibly to run code.
Impacted products: Fedora, Linux, netfilter, Ubuntu.
Severity: 2/4.
Creation date: 10/03/2016.
DESCRIPTION OF THE VULNERABILITY
The Linux kernel implements the IPT_SO_SET_REPLACE option of
setsockopt() which alters a rule of netfilter iptables. The usage
of this option requires no privileges when CONFIG_USER_NS=y.
However, an attacker can create an ipt_entry structure with a
next_offset field too large, which leads to a memory corruption.
A local attacker with CONFIG_USER_NS can therefore generate a
memory corruption via the IPT_SO_SET_REPLACE option of the Linux
kernel, in order to trigger a denial of service, and possibly to
run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-IPT-SO-SET-REPLACE-19150