Re: Local DoS on network by unpriviledged user using setsockopt()

[Dylan_G () BIGFOOT COM (Dylan Griffiths)]

> Has anyone verified whether other non BSD-OSes are vulnerable?
> Specifically, Linux 2.0.x (or any pre-2.2.9) releases?

I just spent some time testing the exploit against Linux 2.2.6, and 2.2.9 w/
Andrea's Buffer-C patch.  The machine had 128mb of ram, 128mb of swap, and a
K6-2 266 Mhz CPU (the other machine I couldn't DoS had a 200Mhz Pentium w/
MMX and login resource restrictions).

The results are mixed.  When I first tested with 2.2.6, I did get a DoS.
The DoS went away when I updated the System.map file to be accurate.  After
some experimentation, it seems that it's more of a hit and miss situation (I
could DoS with valid/invalid System.map files).  Sometimes it would DoS
(looping about 290 to 300 times, pausing a second, then looping 20 more
times, and then causing out of memory situations), and sometimes it wouldn't
loop enough (and the kernel would reclaim the resources).  This seems to be
a well hidden race in the Linux kernel, and both 2.2.6 and 2.2.9 (with the
patch) were affected.

The system I tested it on did not have login resource limits enforced, so
I'm assuming a good login resource policy would stop the DoS on at least the
2.2.x series (and possibly the 2.0.x series).  I've no idea if this will
affect the 2.3.x series.