Three years after the wave of vulnerabilities (, , , , ) in the AF_PACKET subsystem of the Linux kernel one more problem () that allows a local non-privileged user to execute code as root or exit sandboxed containers if they have root access.
CAP_NET_RAW authority is required to create an AF_PACKET socket and exploit the vulnerability. However, this permission can be obtained by an unprivileged user in containers created on systems with support for user namespaces enabled. For example, user namespaces is enabled by default on Ubuntu and Fedora, but disabled on Debian and RHEL. In Android, the mediaserver process has the right to create AF_PACKET sockets, through which the vulnerability can be exploited.
The vulnerability exists in the tpacket_rcv function and is caused by an error in calculating the netoff variable. An attacker can create conditions under which the netoff variable will be written to a value less than the maclen variable, which will cause an overflow when calculating "macoff = netoff - maclen" and then incorrectly setting the pointer to the buffer for incoming data. As a result, an attacker can initiate writing from 1 to 10 bytes to an area outside the allocated buffer. It is noted that an exploit is under development that allows you to get root rights in the system.
The problem has been present in the kernel since July 2008, ie. manifests itself in all actual nuclei. The fix is currently available as . You can track the appearance of package updates in distributions on the following pages: , , , , , .
Source: opennet.ru