Full Disclosure mailing list archives
Re: [iputils] Integer overflow in iputils ping/ping6 tools
From: Gage Bystrom <themadichib0d () gmail com>
Date: Tue, 13 Mar 2012 16:06:37 -0800
Shoulda gotten a lawyer o.O professor sex scandals can rake in decent money On Mar 13, 2012 4:32 PM, "Jeffrey Walton" <noloader () gmail com> wrote:
On Tue, Mar 13, 2012 at 6:17 PM, Marcus Meissner <meissner () suse de> wrote:Hi, How is this different from writing a fork bomb?:) Fork bombs can be remediated with RLIMIT_NPROC. The runaway ping program needs to be fixed and then recompiled. I suppose you could say the same about runaway fork'd programs, though. I had one accidentally get away from me in college. The professor who performed the post-mortem was very impressive. He had me fingered in under an hour. JeffOn Tue, Mar 13, 2012 at 09:42:29AM +0100, Christophe Alladoum wrote:====[ Description ]==== An integer overflow was found in iputils/ping_common.c main_loop()functionwhich could lead to excessive CPU usage when triggered (could lead toDoS). Thismeans that both ping and ping6 are vulnerable. ====[ Proof-Of-Concept ]==== Specify "big" interval (-i option) for ping/ping6 tool: {{{ $ ping -i 3600 google.com PING google.com (173.194.66.102) 56(84) bytes of data. 64 bytes from we-in-f102.1e100.net (173.194.66.102): icmp_req=1 ttl=50time=11.4 ms[...] }}} And check your CPU usage (top, htop, etc.) ====[ Explanation ]==== Here, ping will loop in main_loop() loop in this section of code : {{{ /* from iputils-s20101006 source */ /* ping_common.c */ 546 void main_loop(int icmp_sock, __u8 *packet, int packlen) 547 { [...] 559 for (;;) { [...] 572 do { 573 next = pinger(); 574 next = schedule_exit(next); 575 } while (next <= 0); [...] 588 if ((options & (F_ADAPTIVE|F_FLOOD_POLL)) ||next<SCHINT(interval)) {[...] 593 if (1000*next <= 1000000/(int)HZ) { }}} If interval parameter (-i) is set, then condition L593 will overflow(ie. valueexceeding sizeof(signed integer)), making this statement "always true"for bigvalues (e.g. -i 3600). As a consequence, ping process will start looping actively as long as condition is true (could be pretty long). As far as looked, this bug is unlikely to be exploitable besidesprovokingDenial-Of-Service. ====[ Affected versions ]==== Tested on Fedora/Debian/Gentoo Linux system (2.6.x x86_32 and x86_64)on iputilsversion 20101006. ping6 seems also to be affected since it's relying onsameping_common.c functions. Since iputils is not maintained any longer (http://www.spinics.net/lists/netdev/msg191346.html), patch must beapplied fromsource. ====[ Patch ]==== Quick'n dirty patch (full patch in appendix) is to cast test result aslong long:{{{ 593 if (((long long)1000*next) <= (longlong)1000000/(int)HZ) {}}} ====[ Credits ]==== * Christophe Alladoum (HSC) * Romain Coltel (HSC)_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [iputils] Integer overflow in iputils ping/ping6 tools Christophe Alladoum (Mar 13)
- Re: [iputils] Integer overflow in iputils ping/ping6 tools Marcus Meissner (Mar 13)
- Re: [iputils] Integer overflow in iputils ping/ping6 tools James Condron (Mar 13)
- Re: [iputils] Integer overflow in iputils ping/ping6 tools Jeffrey Walton (Mar 13)
- Re: [iputils] Integer overflow in iputils ping/ping6 tools Gage Bystrom (Mar 13)
- Re: [iputils] Integer overflow in iputils ping/ping6 tools Darius Jahandarie (Mar 14)
- Re: [iputils] Integer overflow in iputils ping/ping6 tools Marcus Meissner (Mar 13)