CVE-2017-1000112

HIGH

Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation

Title source: metasploit

Description

Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.

Exploits (10)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocallinux

https://www.exploit-db.com/exploits/45147

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Andrey Konovalov · clocallinux

https://www.exploit-db.com/exploits/43418

View Code ZIP pw:eip

exploitdb WORKING POC

by bcoles · clocallinux

https://www.exploit-db.com/exploits/47169

View Code ZIP pw:eip

github WORKING POC 8 stars

by codecat007 · cpoc

https://github.com/codecat007/cvehub/tree/main/android/kernel/EXP-CVE-2017-1000112

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by Spydomain · poc

https://github.com/Spydomain/CVE-2017-1000112-PoC

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by IT19083124 · poc

https://github.com/IT19083124/SNP-Assignment

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by ol0273st-s · poc

https://github.com/ol0273st-s/CVE-2017-1000112-Adpated

View Code ZIP pw:eip

gitlab

by os-exploit · poc

https://gitlab.com/penetration-test-learn/10vuln/os-exploit/bcoles-kernel-exploits

nomisec WORKING POC

by hikame · poc

https://github.com/hikame/docker_escape_pwn

View Code ZIP pw:eip

metasploit WORKING POC GOOD

by Andrey Konovalov, h00die, bcoles · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/ufo_privilege_escalation.rb

View Code ZIP pw:eip

References (13)

[Mailing List, Patch, Third Party Advisory] http://seclists.org/oss-sec/2017/q3/277

[Third Party Advisory] http://www.debian.org/security/2017/dsa-3981

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/100262

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1039162

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:2918

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:2930

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:2931

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:3200

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1931

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1932

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:4159

[Third Party Advisory] https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112

[Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/45147/

Scores

CVSS v3 7.0

EPSS 0.8409

EPSS Percentile 99.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-362

Status published

Products (1)

linux/linux_kernel 2.6.15 - 3.10.108

Published Oct 05, 2017

Tracked Since Feb 18, 2026