Re: [iputils] Integer overflow in iputils ping/ping6 tools

["James Condron" <james () zero-internet org uk>]

Awww come on,

Let the have their win. You're the kind of guy who tells a 3 year old their finger painting on the fridge is shit, 
aren't you.


Sent using BlackBerry® from Orange

-----Original Message-----
From: Marcus Meissner <meissner () suse de>
Sender: full-disclosure-bounces () lists grok org uk
Date: Tue, 13 Mar 2012 23:17:41 
To: Christophe Alladoum<Christophe.Alladoum () hsc fr>
Cc: <full-disclosure () lists grok org uk>
Subject: Re: [Full-disclosure] [iputils] Integer overflow in iputils
        ping/ping6 tools

Hi,

How is this different from writing a fork bomb?

Ciao, Marcus

On Tue, Mar 13, 2012 at 09:42:29AM +0100, Christophe Alladoum wrote:
> ====[ Description ]====
>
> An integer overflow was found in iputils/ping_common.c main_loop() function
> which could lead to excessive CPU usage when triggered (could lead to DoS). This
> means that both ping and ping6 are vulnerable.
>
>
> ====[ Proof-Of-Concept ]====
>
> Specify "big" interval (-i option) for ping/ping6 tool:
> {{{
> $ ping -i 3600 google.com
> PING google.com (173.194.66.102) 56(84) bytes of data.
> 64 bytes from we-in-f102.1e100.net (173.194.66.102): icmp_req=1 ttl=50 time=11.4 ms
> [...]
> }}}
>
> And check your CPU usage (top, htop, etc.)
>
>
> ====[ Explanation ]====
>
> Here, ping will loop in main_loop() loop in this section of code :
> {{{
> /* from iputils-s20101006 source */
> /* ping_common.c */
>
>     546 void main_loop(int icmp_sock, __u8 *packet, int packlen)
>     547 {
> [...]
>     559         for (;;) {
> [...]
>     572                 do {
>     573                         next = pinger();
>     574                         next = schedule_exit(next);
>     575                 } while (next <= 0);
> [...]
>     588                 if ((options & (F_ADAPTIVE|F_FLOOD_POLL)) || next<SCHINT(interval)) {
> [...]
>     593                         if (1000*next <= 1000000/(int)HZ) {
> }}}
>
> If interval parameter (-i) is set, then condition L593 will overflow (ie. value
> exceeding sizeof(signed integer)), making this statement "always true" for big
> values (e.g. -i 3600). As a consequence, ping process will start looping
> actively as long as condition is true (could be pretty long).
>
> As far as looked, this bug is unlikely to be exploitable besides provoking
> Denial-Of-Service.
>
>
> ====[ Affected versions ]====
>
> Tested on Fedora/Debian/Gentoo Linux system (2.6.x x86_32 and x86_64) on iputils
> version 20101006. ping6 seems also to be affected since it's relying on same
> ping_common.c functions.
>
> Since iputils is not maintained any longer
> (http://www.spinics.net/lists/netdev/msg191346.html), patch must be applied from
> source.
>
>
> ====[ Patch ]====
> Quick'n dirty patch (full patch in appendix) is to cast test result as long long:
> {{{
>     593                  if (((long long)1000*next) <= (long long)1000000/(int)HZ) {
> }}}
>
>
> ====[ Credits ]====
> * Christophe Alladoum (HSC)
> * Romain Coltel (HSC)
>
>
> -- 
> Christophe Alladoum - <christophe.alladoum () hsc fr>
> Hervé Schauer Consultants - <http://www.hsc.fr>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-- 
Working, but not speaking, for the following german company:
SUSE LINUX Products GmbH, HRB 16746 (AG Nuernberg)
Geschaeftsfuehrer: Jeff Hawn, Jennifer Guild, Felix Imendoerffer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/