Vulnerabilities > CVE-2016-2059 - Improper Privilege Management vulnerability in multiple products

047910
CVSS 7.0 - HIGH
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
high complexity
linux
google
CWE-269
nessus
NVD
Published: 2016-05-05
Updated: 2020-08-03

Summary

The msm_ipc_router_bind_control_port function in net/ipc_router/ipc_router_core.c in the IPC router kernel module for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify that a port is a client port, which allows attackers to gain privileges or cause a denial of service (race condition and list corruption) by making many BIND_CONTROL_PORT ioctl calls.

Vulnerable Configurations

Part Description Count
OS
Linux
1005
OS
Google
24

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.

Nessus

NASL familyHuawei Local Security Checks
NASL idEULEROS_SA-2019-1521.NASL
descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lacked certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly cause other unspecified impacts using crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.(CVE-2017-7895i1/4%0 - A flaw was found in the Linux kernel
last seen2020-03-19
modified2019-05-14
plugin id124974
published2019-05-14
reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/124974
titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1521)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124974);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");

  script_cve_id(
    "CVE-2013-4348",
    "CVE-2014-5045",
    "CVE-2014-5206",
    "CVE-2014-7825",
    "CVE-2014-8369",
    "CVE-2014-8989",
    "CVE-2015-8785",
    "CVE-2016-2059",
    "CVE-2016-2185",
    "CVE-2016-2188",
    "CVE-2016-3713",
    "CVE-2016-7039",
    "CVE-2017-13695",
    "CVE-2017-15649",
    "CVE-2017-15951",
    "CVE-2017-17805",
    "CVE-2017-6874",
    "CVE-2017-7895",
    "CVE-2018-13093",
    "CVE-2018-7492"
  );
  script_bugtraq_id(
    63536,
    68862,
    69214,
    70747,
    70749,
    70972,
    71154,
    71367
  );

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1521)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - The NFSv2 and NFSv3 server implementations in the Linux
    kernel through 4.10.13 lacked certain checks for the
    end of a buffer. A remote attacker could trigger a
    pointer-arithmetic error or possibly cause other
    unspecified impacts using crafted requests related to
    fs/nfsd/nfs3xdr.c and
    fs/nfsd/nfsxdr.c.(CVE-2017-7895i1/4%0

  - A flaw was found in the Linux kernel's ACPI subsystem
    where a function does not flush the operand cache and
    causes a kernel stack dump. This allows local users to
    obtain sensitive information from kernel memory and
    bypass the KASLR protection mechanism when using a
    specially crafted ACPI table.(CVE-2017-13695i1/4%0

  - It was found that fanout_add() in
    'net/packet/af_packet.c' in the Linux kernel, before
    version 4.13.6, allows local users to gain privileges
    via crafted system calls that trigger mishandling of
    packet_fanout data structures, because of a race
    condition (involving fanout_add and packet_do_bind)
    that leads to a use-after-free bug.(CVE-2017-15649i1/4%0

  - Race condition in kernel/ucount.c in the Linux kernel
    through 4.10.2 allows local users to cause a denial of
    service (use-after-free and system crash) or possibly
    have unspecified other impact via crafted system calls
    that leverage certain decrement behavior that causes
    incorrect interaction between put_ucounts and
    get_ucounts.(CVE-2017-6874i1/4%0

  - An out-of-bounds memory access flaw, CVE-2014-7825, was
    found in the syscall tracing functionality of the Linux
    kernel's perf subsystem. A local, unprivileged user
    could use this flaw to crash the system. Additionally,
    an out-of-bounds memory access flaw, CVE-2014-7826, was
    found in the syscall tracing functionality of the Linux
    kernel's ftrace subsystem. On a system with ftrace
    syscall tracing enabled, a local, unprivileged user
    could use this flaw to crash the system, or escalate
    their privileges.(CVE-2014-7825i1/4%0

  - The Salsa20 encryption algorithm in the Linux kernel,
    before 4.14.8, does not correctly handle zero-length
    inputs. This allows a local attacker the ability to use
    the AF_ALG-based skcipher interface to cause a denial
    of service (uninitialized-memory free and kernel crash)
    or have an unspecified other impact by executing a
    crafted sequence of system calls that use the
    blkcipher_walk API. Both the generic implementation
    (crypto/salsa20_generic.c) and x86 implementation
    (arch/x86/crypto/salsa20_glue.c) of Salsa20 are
    vulnerable.(CVE-2017-17805i1/4%0

  - The msm_ipc_router_bind_control_port function in
    net/ipc_router/ipc_router_core.c in the IPC router
    kernel module for the Linux kernel 3.x, as used in
    Qualcomm Innovation Center (QuIC) Android contributions
    for MSM devices and other products, does not verify
    that a port is a client port, which allows attackers to
    gain privileges or cause a denial of service (race
    condition and list corruption) by making many
    BIND_CONTROL_PORT ioctl calls.(CVE-2016-2059i1/4%0

  - The do_remount function in fs/namespace.c in the Linux
    kernel through 3.16.1 does not maintain the
    MNT_LOCK_READONLY bit across a remount of a bind mount,
    which allows local users to bypass an intended
    read-only restriction and defeat certain sandbox
    protection mechanisms via a 'mount -o remount' command
    within a user namespace.(CVE-2014-5206i1/4%0

  - The ati_remote2_probe function in
    drivers/input/misc/ati_remote2.c in the Linux kernel
    before 4.5.1 allows physically proximate attackers to
    cause a denial of service (NULL pointer dereference and
    system crash) via a crafted endpoints value in a USB
    device descriptor.(CVE-2016-2185i1/4%0

  - It was found that the fix for CVE-2014-3601 was
    incomplete: the Linux kernel's kvm_iommu_map_pages()
    function still handled IOMMU mapping failures
    incorrectly. A privileged user in a guest with an
    assigned host device could use this flaw to crash the
    host.(CVE-2014-8369i1/4%0

  - A NULL pointer dereference was found in
    net/rds/rdma.c:__rds_rdma_map() function in the Linux
    kernel allowing local attackers to cause a system panic
    and a denial-of-service.(CVE-2018-7492i1/4%0

  - An issue was discovered in the XFS filesystem in
    fs/xfs/xfs_icache.c in the Linux kernel. There is a
    NULL pointer dereference leading to a system panic in
    lookup_slow() on a NULL inode-i1/4zi_ops pointer when
    doing pathwalks on a corrupted xfs image. This occurs
    because of a lack of proper validation that cached
    inodes are free during an allocation.(CVE-2018-13093i1/4%0

  - The iowarrior_probe function in
    drivers/usb/misc/iowarrior.c in the Linux kernel before
    4.5.1 allows physically proximate attackers to cause a
    denial of service (NULL pointer dereference and system
    crash) via a crafted endpoints value in a USB device
    descriptor.(CVE-2016-2188i1/4%0

  - Linux kernel built with the 802.1Q/802.1ad
    VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local
    Area Network(CONFIG_VXLAN) with Transparent Ethernet
    Bridging(TEB) GRO support, is vulnerable to a stack
    overflow issue. It could occur while receiving large
    packets via GRO path, as an unlimited recursion could
    unfold in both VLAN and TEB modules, leading to a stack
    corruption in the kernel.(CVE-2016-7039i1/4%0

  - The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in
    the Linux kernel before 4.6.1 supports MSR 0x2f8, which
    allows guest OS users to read or write to the
    kvm_arch_vcpu data structure, and consequently obtain
    sensitive information or cause a denial of service
    (system crash), via a crafted ioctl
    call.(CVE-2016-3713i1/4%0

  - A flaw was found in the way the Linux kernel's VFS
    subsystem handled reference counting when performing
    unmount operations on symbolic links. A local,
    unprivileged user could use this flaw to exhaust all
    available memory on the system or, potentially, trigger
    a use-after-free error, resulting in a system crash or
    privilege escalation.(CVE-2014-5045i1/4%0

  - The KEYS subsystem in the Linux kernel before 4.13.10
    does not correctly synchronize the actions of updating
    versus finding a key in the 'negative' state to avoid a
    race condition, which allows local users to cause a
    denial of service or possibly have unspecified other
    impact via crafted system calls.(CVE-2017-15951i1/4%0

  - The skb_flow_dissect function in
    net/core/flow_dissector.c in the Linux kernel through
    3.12 allows remote attackers to cause a denial of
    service (infinite loop) via a small value in the IHL
    field of a packet with IPIP
    encapsulation.(CVE-2013-4348i1/4%0

  - The Linux kernel through 3.17.4 does not properly
    restrict dropping of supplemental group memberships in
    certain namespace scenarios, which allows local users
    to bypass intended file permissions by leveraging a
    POSIX ACL containing an entry for the group category
    that is more restrictive than the entry for the other
    category, aka a 'negative groups' issue, related to
    kernel/groups.c, kernel/uid16.c, and
    kernel/user_namespace.c.(CVE-2014-8989i1/4%0

  - An infinite-loop flaw was found in the kernel. When a
    local user calls the sys_writev syscall with a
    specially crafted sequence of iov structs, the
    fuse_fill_write_pages kernel function might never
    terminate, instead continuing in a tight loop. This
    process cannot be terminated and requires a
    reboot.(CVE-2015-8785i1/4%0

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1521
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a1899f2b");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["kernel-4.19.28-1.2.117",
        "kernel-devel-4.19.28-1.2.117",
        "kernel-headers-4.19.28-1.2.117",
        "kernel-tools-4.19.28-1.2.117",
        "kernel-tools-libs-4.19.28-1.2.117",
        "kernel-tools-libs-devel-4.19.28-1.2.117",
        "perf-4.19.28-1.2.117",
        "python-perf-4.19.28-1.2.117"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

The Hacker News

idTHN:88858C272BB7187F908C43D40345230D
last seen2018-01-27
modified2016-08-08
published2016-08-07
reporterSwati Khandelwal
sourcehttps://thehackernews.com/2016/08/hack-android-phone.html
titleWarning! Over 900 Million Android Phones Vulnerable to New 'QuadRooter' Attack

References