Immunity, Inc.
Name show_timer_leak
CVE CVE-2017-18344
Exploit Pack CANVAS
Descriptionshow_timer_leak
NotesCVE Name: CVE-2017-18344
NOTES: This module gives an unpriviledged user the ability to dump a file from the kernel
memory. A common scenario is to dump the /etc/shadow or kerberos tickets.
Note: For Fedora, the attack is targetless while for Ubuntu / CentOS and others
you will need specific offsets compiled within the binary itself.
Caveats:
1. Attacking vmware, vbox or bare metal is absolutely the same, performance wise.
2. Some targets are still not supported.
3. Not all the filesystems are handled. In particular tmpfs or XFS files cannot be leaked.
4. With this version you can only dump files fitting within a single page (<= 4096 bytes)
5. SMAP mitigates this vulnerability
About (possible) future versions:
--------------------------------
A completely targetless version (not exclusive to Fedora) may be written later

VersionsAffected:
CVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18344
Repeatability: Infinite

Learn more about the CANVAS Exploit Pack here: CANVAS