[plug] FW: Linux 2.0.36 vulnerable to local port/memory DoS attack (fwd)

Rob Hall rob at hcm.iinet.net.au
Mon Jan 25 15:54:42 WST 1999


What do all you hackers reckon about this?

Regards,


Rob Hall


~~~~~~~~~~~~~~~~~~~~~``
Heights Computer Management
"Making computers work for you."

rob at hcm.iinet.net.au
www.hcm.iinet.net.au

08 9342 2664
0414 954 068

---------- Forwarded message ----------
Date: Tue, 19 Jan 1999 11:33:19 -0800
From: David Schwartz <davids at WEBMASTER.COM>
To: BUGTRAQ at netspace.org
Subject: Linux 2.0.36 vulnerable to local port/memory DoS attack


        I discovered an exploitable bug in Linux kernel 2.0.35 in September
of
1998. I reported it to the Linux developers. I was assured that this bug was
part of a family of similar bugs that would soon be banished from the Linux
kernel. In fact, I was told the release of 2.0.36 was being delayed to allow
this bug, and others like it, to be fixed.

        Well, I just tested the exploit against a stock 2.0.36 kernel, and
unfortunately, the attack still works. 2.1.x and the 2.2.x-pre builds are
not vulnerable. A local unprivileged account is required to launch this
attack. Multithreaded programs that work perfectly on other operating
systems may accidentally trigger this bug on affected Linux systems.

        The effect of this bug is that anyone with a local account can
permanently
(until a reboot) steal any ports he or she wants (>1024, of course). It
becomes subsequently impossible to listen on this port. Oddly, the kernel
itself continues listening on the port and accepts incoming TCP connections.

        Kernel memory can be leaked in any quantity desired. Any number of
ports
can be made unusable.

        You will know if this bug has been exploited on your system because
you
will see sockets stuck permanently in the 'CLOSE_WAIT' state. The only cure
is a reboot. As far as I can tell, there is no way to determine which user
launched the attack once their process terminates. (I checked the uid field
in the kernel, it's blank.)

        The way you trigger the bug is to open the port, and then while one
thread
selects on the port, another closes it. Due to the select, the close fails.
The close can never happen again, as far as I know.

        The attached exploit code demonstrates the bug without harming the
system
too badly. Much more vicious exploits can be written trivially.

        David Schwartz
        <davids at webmaster.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: killport.c
Type: application/octet-stream
Size: 2193 bytes
Desc: not available
URL: <http://lists.plug.org.au/pipermail/plug/attachments/19990125/46087e7a/attachment.obj>


More information about the plug mailing list