[11842] in bugtraq
Re: Local DoS on network by unpriviledged user using setsockopt()
daemon@ATHENA.MIT.EDU (Dylan Griffiths)
Sat Sep 11 04:30:06 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <37D7202D.80C6FEA4@bigfoot.com>
Date: Wed, 8 Sep 1999 20:49:17 -0600
Reply-To: Dylan Griffiths <Dylan_G@BIGFOOT.COM>
From: Dylan Griffiths <Dylan_G@BIGFOOT.COM>
X-To: John N Dvorak <dvorak@capu.net>
To: BUGTRAQ@SECURITYFOCUS.COM
> Has anyone verified whether other non BSD-OSes are vulnerable?
> Specifically, Linux 2.0.x (or any pre-2.2.9) releases?
I just spent some time testing the exploit against Linux 2.2.6, and 2.2.9 w/
Andrea's Buffer-C patch. The machine had 128mb of ram, 128mb of swap, and a
K6-2 266 Mhz CPU (the other machine I couldn't DoS had a 200Mhz Pentium w/
MMX and login resource restrictions).
The results are mixed. When I first tested with 2.2.6, I did get a DoS.
The DoS went away when I updated the System.map file to be accurate. After
some experimentation, it seems that it's more of a hit and miss situation (I
could DoS with valid/invalid System.map files). Sometimes it would DoS
(looping about 290 to 300 times, pausing a second, then looping 20 more
times, and then causing out of memory situations), and sometimes it wouldn't
loop enough (and the kernel would reclaim the resources). This seems to be
a well hidden race in the Linux kernel, and both 2.2.6 and 2.2.9 (with the
patch) were affected.
The system I tested it on did not have login resource limits enforced, so
I'm assuming a good login resource policy would stop the DoS on at least the
2.2.x series (and possibly the 2.0.x series). I've no idea if this will
affect the 2.3.x series.
