RV: una-al-dia (22/12/1999) Ataque DoS a los kernel Linux 2.0.x (fwd)
Sandino Araico Sánchez
sandino en styx.net
Mar Ene 4 00:04:33 CST 2000
Aquí les anexo el inicio del thread (porque completo está muy manchado)
para los usuarios de 2.0 que les interese.
Si va a haber 2.0.39 no lo se, todavía no lo acabo de leer pero el
thread se extinguió el 17 de Diciembre.
--
Sandino Araico Sánchez
We're here, you're free, get used to it!
--Stallman
Return-Path: <linux-kernel en samba.anu.edu.au>
Delivered-To: sandino en styx.net
Received: from intelicast.net (na-36-66.na.avantel.net.mx [148.245.36.66])
by relay1.mail.styx.net (Postfix) with ESMTP id 14EC93100A
for <sandino en styx.net>; Mon, 13 Dec 1999 05:59:04 -0600 (CST)
Received: from samba.anu.edu.au (samba.anu.edu.au [150.203.164.44])
by intelicast.net (8.9.3/8.9.3) with ESMTP id FAA19971
for <sandino en intelicast.net>; Mon, 13 Dec 1999 05:57:51 -0600
Received: from localhost ([127.0.0.1]:16788 "HELO ") by samba.anu.edu.au
with SMTP id <S13079517AbPLML6p>; Mon, 13 Dec 1999 22:58:45 +1100
Message-Id: <Pine.LNX.3.96.991213124114.178G-100000 en hobbe.tripnet.se>
Errors-To: listproc-errors en samba.anu.edu.au
Reply-To: ryde en tripnet.se
Originator: linux-kernel en samba.anu.edu.au
Sender: linux-kernel en samba.anu.edu.au
Precedence: bulk
From: Daniel Ryde <ryde en tripnet.se>
To: Multiple recipients of list LINUX-KERNEL <linux-kernel en samba.anu.edu.au>
Subject: [security] Big problem on 2.0.x? (fwd)
MIME-Version: 1.0
Content-Type: MULTIPART/ALTERNATIVE; BOUNDARY="1690542868-1804175634-945085509=:178"
Content-ID: <Pine.LNX.3.96.991213124114.178H en hobbe.tripnet.se>
X-Listprocessor-Version: 6.0d -- ListProcessor by Anastasios Kotsikonas
X-URL: http://lists.samba.org/
X-Comment: Linux-kernel mirror
Date: Mon, 13 Dec 1999 22:58:45 +1100
X-Mozilla-Status2: 00000000
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime en docserver.cac.washington.edu for more info.
--1690542868-1804175634-945085509=:178
Content-Type: TEXT/PLAIN; CHARSET=iso-8859-1
Content-ID: <Pine.LNX.3.96.991213124114.178I en hobbe.tripnet.se>
Seen on Bugtraq. Works on 2.0.38 + Solar secure Linux patch.
Instant crash and burn.
Best Regards
Daniel Ryde, System Administrator
__________________________________________________________________________
Tripnet AB Visit Address: Telephone: +46 31 7252500
Box 5071 Avagen 42 Facsimile: +46 31 7252501
S-402 22 GOTEBORG GOTEBORG Email: ryde en tripnet.se
Sweden Sweden
---------- Forwarded message ----------
Date: Thu, 9 Dec 1999 10:51:45 -0600
From: Eduardo Cruz <eduardo.cruz en TS-G.COM>
To: BUGTRAQ en SECURITYFOCUS.COM
Subject: Big problem on 2.0.x?
Hello ppl.
Last week i was playing with my old linux 2.0.36 i486 box, while i was playing with the command ping and trying combinations of commands
i found that when u do a ping -s 65468 -R ANYIPADDRESS ( -R record route) the system starts to print on the screen kernel dumps
, freezes complitely and after few secconds the system reboots.
The major problem with this (if this is a bug, because i dont have time to install differents kernels and test it better) is that command can be run by everyone
because you dont need root permissions to make a -R.
I tested this on a 2.0.35 and .36 (both slackware), when u try to do this on a 2.2.x the system prints out "message too long".
I think the problem is that there is a size-check missed when u reach the maximun packet size and u put the route information, but anyway
i am not a guru on kernels.
So, now is time for the kernel experts :)
---------------------------------------------------------------------------
Eduardo Cruz - eduardo.cruz. en ts-g.com
Network Administrator
Telecomm Solutions Group
Tel: +350 74146 Fax: +350 41781
---------------------------------------------------------------
--1690542868-1804175634-945085509=:178--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo en vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
Return-Path: <linux-kernel en samba.anu.edu.au>
Delivered-To: sandino en styx.net
Received: from intelicast.net (na-36-66.na.avantel.net.mx [148.245.36.66])
by relay1.mail.styx.net (Postfix) with ESMTP id 2A2A83100A
for <sandino en styx.net>; Mon, 13 Dec 1999 06:30:59 -0600 (CST)
Received: from samba.anu.edu.au (samba.anu.edu.au [150.203.164.44])
by intelicast.net (8.9.3/8.9.3) with ESMTP id GAA20543
for <sandino en intelicast.net>; Mon, 13 Dec 1999 06:29:44 -0600
Received: from localhost ([127.0.0.1]:23664 "HELO ") by samba.anu.edu.au
with SMTP id <S12666863AbPLMMa1>; Mon, 13 Dec 1999 23:30:27 +1100
Message-Id: <3854E47A.B03E8E27 en fokus.gmd.de>
Errors-To: listproc-errors en samba.anu.edu.au
Reply-To: pelinescu-onciul en fokus.gmd.de
Originator: linux-kernel en samba.anu.edu.au
Sender: linux-kernel en samba.anu.edu.au
Precedence: bulk
From: Andrei Pelinescu-Onciul <pelinescu-onciul en fokus.gmd.de>
To: Multiple recipients of list LINUX-KERNEL <linux-kernel en samba.anu.edu.au>
Subject: Re: [security] Big problem on 2.0.x? (fwd)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Listprocessor-Version: 6.0d -- ListProcessor by Anastasios Kotsikonas
X-URL: http://lists.samba.org/
X-Comment: Linux-kernel mirror
References: <Pine.LNX.3.96.991213124114.178G-100000 en hobbe.tripnet.se>
X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.5 sun4m)
Date: Mon, 13 Dec 1999 23:30:27 +1100
X-Mozilla-Status2: 00000000
Daniel Ryde wrote:
[...]
>
>
> Hello ppl.
>
> Last week i was playing with my old linux 2.0.36 i486 box, while i was playing with the command ping and trying combinations of commands
> i found that when u do a ping -s 65468 -R ANYIPADDRESS ( -R record route) the system starts to print on the screen kernel dumps
> , freezes complitely and after few secconds the system reboots.
>
I didn't look in 2.0.38 yet but in 2.0.36 the problem is in net/ipv4/ip_output.c in ip_build_xmit.
Here a short int (length) is used to compute the length of the ip packet. At first length contains the length of the packet without the header, then the ip header
length is added:
if (!sk->ip_hdrincl) {
length += sizeof(struct iphdr);
if(opt) length += opt->optlen;
}
ping -s 65468 -R generates a packet that looks like:
ip header: 20 bytes
ip options: 40 bytes
icmp header: 8 bytes
icmp data: 65468 bytes
If you add all this up you obtain 65536, but length is a short int so length will be 0!
A quick way to fix this bug is to add the following if, after the one above:
if (length < 20){
printk("<1> ip_build_xmit: ERROR: packet too big! "
"dropping...\n");
return -EPERM;
}
However if the length of the packet "overflows" 65535 by more than 20 bytes you could have trouble. I do not now well enough the Linux networking code (yet :)) so
maybe one of you can write a better solution. Also I should not probably return EPERM and use printk("<1>")...
Andrei
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo en vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
Return-Path: <linux-kernel en samba.anu.edu.au>
Delivered-To: sandino en styx.net
Received: from intelicast.net (na-36-66.na.avantel.net.mx [148.245.36.66])
by relay1.mail.styx.net (Postfix) with ESMTP id 3980C3100A
for <sandino en styx.net>; Tue, 14 Dec 1999 21:18:03 -0600 (CST)
Received: from samba.anu.edu.au (samba.anu.edu.au [150.203.164.44])
by intelicast.net (8.9.3/8.9.3) with ESMTP id VAA08270
for <sandino en intelicast.net>; Tue, 14 Dec 1999 21:16:44 -0600
Received: from localhost ([127.0.0.1]:5241 "HELO ") by samba.anu.edu.au
with SMTP id <S13093029AbPLODQE>; Wed, 15 Dec 1999 14:16:04 +1100
Message-Id: <Pine.LNX.4.10.9912142321060.3284-100000 en alpha.random>
Errors-To: listproc-errors en samba.anu.edu.au
Reply-To: andrea en suse.de
Originator: linux-kernel en samba.anu.edu.au
Sender: linux-kernel en samba.anu.edu.au
Precedence: bulk
From: Andrea Arcangeli <andrea en suse.de>
To: Multiple recipients of list LINUX-KERNEL <linux-kernel en samba.anu.edu.au>
Subject: Re: [security] Big problem on 2.0.x? (fwd)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Listprocessor-Version: 6.0d -- ListProcessor by Anastasios Kotsikonas
X-URL: http://lists.samba.org/
X-Comment: Linux-kernel mirror
In-Reply-To: <3854E47A.B03E8E27 en fokus.gmd.de>
Date: Wed, 15 Dec 1999 14:16:04 +1100
X-Mozilla-Status2: 00000000
On Mon, 13 Dec 1999, Andrei Pelinescu-Onciul wrote:
>I didn't look in 2.0.38 yet but in 2.0.36 the problem is in net/ipv4/ip_output.c in ip_build_xmit.
>Here a short int (length) is used to compute the length of the ip packet. At first length contains the length of the packet without the header, then the ip header
>length is added:
>
>if (!sk->ip_hdrincl) {
> length += sizeof(struct iphdr);
> if(opt) length += opt->optlen;
> }
>
>ping -s 65468 -R generates a packet that looks like:
>
>ip header: 20 bytes
>ip options: 40 bytes
>icmp header: 8 bytes
>icmp data: 65468 bytes
>
>If you add all this up you obtain 65536, but length is a short int so length will be 0!
Agreed. Your detection of the problem is correct IMHO.
>A quick way to fix this bug is to add the following if, after the one above:
>
> if (length < 20){
> printk("<1> ip_build_xmit: ERROR: packet too big! "
> "dropping...\n");
> return -EPERM;
> }
I looked at this too and I think your fix is very near to be the right
one. The basics of your changes are right IMO.
I fixed this by checking that the payload is not too big in the case we
have to include in the packet also some ip option. If it's too big
I tell to userspace it's too big. This is my version:
diff -urN 2.0.38/net/ipv4/ip_output.c 2.0.38-ping-R/net/ipv4/ip_output.c
--- 2.0.38/net/ipv4/ip_output.c Thu Jun 18 23:48:22 1998
+++ 2.0.38-ping-R/net/ipv4/ip_output.c Tue Dec 14 23:02:43 1999
@@ -703,7 +703,13 @@
if (!sk->ip_hdrincl) {
length += sizeof(struct iphdr);
- if(opt) length += opt->optlen;
+ if(opt)
+ {
+ /* make sure to not exceed the max packet size */
+ if (0xffff-length < opt->optlen)
+ return -EMSGSIZE;
+ length += opt->optlen;
+ }
}
if(length <= dev->mtu && !MULTICAST(daddr) && daddr!=0xFFFFFFFF && daddr!=dev->pa_brdaddr)
Worked fine here so far.
Andrea
PS. The same bug could be exploited also using udp as normal user. So
beware in doing a `chmod u-s /bin/ping`: it's not enough to fix the
problem.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo en vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
Return-Path: <linux-kernel en samba.anu.edu.au>
Delivered-To: sandino en styx.net
Received: from intelicast.net (na-36-66.na.avantel.net.mx [148.245.36.66])
by relay1.mail.styx.net (Postfix) with ESMTP id 6592331009
for <sandino en styx.net>; Tue, 14 Dec 1999 23:47:04 -0600 (CST)
Received: from samba.anu.edu.au (samba.anu.edu.au [150.203.164.44])
by intelicast.net (8.9.3/8.9.3) with ESMTP id XAA10183
for <sandino en intelicast.net>; Tue, 14 Dec 1999 23:45:45 -0600
Received: from localhost ([127.0.0.1]:26094 "HELO ") by samba.anu.edu.au
with SMTP id <S12886981AbPLOFqj>; Wed, 15 Dec 1999 16:46:39 +1100
Message-Id: <Pine.A41.4.21.9912150149350.37606-100000 en kleopatra.acc.umu.se>
Errors-To: listproc-errors en samba.anu.edu.au
Reply-To: tao en acc.umu.se
Originator: linux-kernel en samba.anu.edu.au
Sender: linux-kernel en samba.anu.edu.au
Precedence: bulk
From: David Weinehall <tao en acc.umu.se>
To: Multiple recipients of list LINUX-KERNEL <linux-kernel en samba.anu.edu.au>
Subject: Re: [security] Big problem on 2.0.x? (fwd)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Listprocessor-Version: 6.0d -- ListProcessor by Anastasios Kotsikonas
X-URL: http://lists.samba.org/
X-Comment: Linux-kernel mirror
In-Reply-To: <Pine.LNX.4.10.9912142321060.3284-100000 en alpha.random>
Date: Wed, 15 Dec 1999 16:46:39 +1100
X-Mozilla-Status2: 00000000
On Tue, 14 Dec 1999, Andrea Arcangeli wrote:
[snip]
> diff -urN 2.0.38/net/ipv4/ip_output.c 2.0.38-ping-R/net/ipv4/ip_output.c
> --- 2.0.38/net/ipv4/ip_output.c Thu Jun 18 23:48:22 1998
> +++ 2.0.38-ping-R/net/ipv4/ip_output.c Tue Dec 14 23:02:43 1999
> @@ -703,7 +703,13 @@
>
> if (!sk->ip_hdrincl) {
> length += sizeof(struct iphdr);
> - if(opt) length += opt->optlen;
> + if(opt)
> + {
> + /* make sure to not exceed the max packet size */
> + if (0xffff-length < opt->optlen)
> + return -EMSGSIZE;
> + length += opt->optlen;
> + }
> }
>
> if(length <= dev->mtu && !MULTICAST(daddr) && daddr!=0xFFFFFFFF && daddr!=dev->pa_brdaddr)
>
> Worked fine here so far.
>
> Andrea
>
> PS. The same bug could be exploited also using udp as normal user. So
> beware in doing a `chmod u-s /bin/ping`: it's not enough to fix the
> problem.
Alan, would you consider a v2.0.39 with just this fix (possibly something
else if something else has come up)?!
There are a LOT of people still using v2.0.xx systems, and releasing a fix
would show them that we really care.
/David
_ _
// David Weinehall <tao en acc.umu.se> /> Northern lights wander \\
// Project MCA Linux hacker // Dance across the winter sky //
\> http://www.acc.umu.se/~tao/ </ Full colour fire </
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo en vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
------------ próxima parte ------------
--
Para desuscribirse, mande correo a: ayuda-unsubscribe en linux.org.mx
Para comandos adicionales, envíelo a: ayuda-help en linux.org.mx
Más información sobre la lista de distribución Ayuda