<PRE> -----Ursprungligt meddelande----- Från: David Schwartz <davids@WEBMASTER.COM> Till: BUGTRAQ@NETSPACE.ORG <BUGTRAQ@NETSPACE.ORG> Datum: den 20 januari 1999 01:17 Ämne: Linux 2.0.36 vulnerable to local port/memory DoS attack

I discovered an exploitable bug in Linux kernel 2.0.35 in September of 1998. I reported it to the Linux developers. I was assured that this bug was part of a family of similar bugs that would soon be banished from the Linux kernel. In fact, I was told the release of 2.0.36 was being delayed to allow this bug, and others like it, to be fixed.

Well, I just tested the exploit against a stock 2.0.36 kernel, and unfortunately, the attack still works. 2.1.x and the 2.2.x-pre builds are not vulnerable. A local unprivileged account is required to launch this attack. Multithreaded programs that work perfectly on other operating systems may accidentally trigger this bug on affected Linux systems.

The effect of this bug is that anyone with a local account can permanently (until a reboot) steal any ports he or she wants (>1024, of course). It becomes subsequently impossible to listen on this port. Oddly, the kernel itself continues listening on the port and accepts incoming TCP connections.

Kernel memory can be leaked in any quantity desired. Any number of ports can be made unusable.

You will know if this bug has been exploited on your system because you will see sockets stuck permanently in the 'CLOSE_WAIT' state. The only cure is a reboot. As far as I can tell, there is no way to determine which user launched the attack once their process terminates. (I checked the uid field in the kernel, it's blank.)

The way you trigger the bug is to open the port, and then while one thread selects on the port, another closes it. Due to the select, the close fails. The close can never happen again, as far as I know.

The attached exploit code demonstrates the bug without harming the system too badly. Much more vicious exploits can be written trivially.

David Schwartz <davids@webmaster.com>

</PRE> <A HREF="bin00032.bin"> killport.c</A></P>