Linux 2.2 DoS Attack

A small bug in the Linux networking code has been found, and just as quickly patched. The bug affects all Linux 2.2 kernels, and can be fixed by removing "kfree_skb(skb);" from around line 455 of linux/net/ipv4/ip_options.c. Big thanks to Alan Cox on this one.

From Alen Cox mouth

This just came to me from BUGTRAQ.
Can someone tell me what that output means?
--------------cut here---------------------

Ok problem confirmed. Its not icmp however - in fact the program given
has some bugs that cause it. If it had been a correctly written icmp tester
it wouldnt have worked. A blessing in disguise.

Anyway the fix seems to be this. Sorry it took so long to sort out.


--- ../linux.vanilla/net/ipv4/ip_options.c Wed May 12 16:49:38 1999
+++ net/ipv4/ip_options.c Tue Jun 1 22:11:46 1999
@@ -452,7 +452,6 @@
error:
if (skb) {
icmp_send(skb, ICMP_PARAMETERPROB, 0, htonl((pp_ptr-iph)- kfree_skb(skb);
}
return -EINVAL;
}

Alan

Re:From Alen Cox mouth

[Parity]

Nobody's answered the coward's question yet?
The answer is, basically, that the output is patch-style diff output. It says that comparing ip_options.c in the linux.vanilla hierarchy to the ip_options.c in the current hierarchy, you can make vanilla like current by removing the line that says 'kfree_skb(skb);' ; in other words, that's the technical version of what was mentioned on the main article.
I have a memory like a sieve, so I won't attempt to tell you how, but you can take those lines and pipe them through diff and patch your kernel that way. I think it may be as simple as being root and doing 'patch filename', but if I were you I'd check the manpages (for diff, and patch) before trying anything. For a one-liner it's probably just as easy to cut it by hand.

It's not a remote exploit!

ARGH! It's a remote crash.. Most people would rather there be a remote crash then a remote exploit.. (RE in most people's minds means the attacker gets root)

PLEASE update the post to indicate that this is a crash and not a root explot.. PLEASE!

Re:Ho HUmmmm

[TechNoir]

Bleading Edge hacker types run 2.2? Hrm. It's the stable kernel for distribution now. Anyone with RedHat 6 or whatever the latest Debian version is (Potato or something) will have this exploit. RedHat better have a fix up on their server pretty damn swiftly.
--
David Coulson (TechNoir)
themes.org Senior Developer

Re:2.3 as well?

[John+Campbell]

I found Slashdot's kernel announcements to be a useful place to hold discussions about the new kernels that didn't belong on linux-kernel. With LinuxHQ's list archive no longer current (and LinuxHQ itself down seemingly as often as not) that resource would be even more valuable, but, no, we don't have it any more because a few morons who don't think that newbies should know about all that scary development stuff made a big stink here and on the kernel list.

And who are you to be saying who "needs" to be running 2.3? I probably don't _need_ to be running it - I'm not working on USB or any of the other stuff that's new in 2.3 - but I am anyway. I figure that if it nukes my box, no problem... I'm not doing it on a main server for exactly that reason. And I might run across a problem with it that others wouldn't because of my particular hardware setup... I doubt there are many people doing kernel dev on a 386. And then I can either track down the problem myself (though I can seldom do it fast enough to keep up with the fixes that everyone else is sending in) or submit a bug report to linux-kernel so someone else can track it down. That's how free source works.

Both right and wrong ...

[Bwah]

I would love to agree with you, but can't.

It would be damn near impossible to run a full qual. test on a modern OS. The complexity level is just to high and there are really no requirements to test anyway. The government will not (I hope) step in here. There is no reason for them to do so.

Think of it this way: it takes WEEKS of 24 hour computing to run a FQT on an aircraft digital flight control system. WEEKS. and this is a system with super super rigid, well defined, realtime requirements. There is no code in the system that is not used.

Now consider the Linux kernel. How many system calls are in there that joe average user never touches? How many combinations of things could be going on at one time? For all intents and purposes we are dealing with an infinite combination regression test situation here. or something. :-) You can't ever really test this kind of general purpose system.

With the complexity in modern realtime and avionics systems, we are pushing the limits of software test. Formal qual testing of general purpose software is a lost cause.

i'll stop rambling on now ...

/dev

There's a little more info in the Bugtraq post.

[roystgnr]

From the archives at www.geek-girl.com


Linux kernel 2.2.x vulnerability/exploit

Piotr Wilkin (pwl@WOTAN.2SLO.WAW.PL)
Tue, 1 Jun 1999 17:43:17 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Salvatore Sanfilippo -antirez-: "whois_raw.cgi problem"
Previous message: aleph1@UNDERGROUND.ORG: "New Allaire Security Bulletin (ASB99-09)"

I'm sorry if this has been noticed before, but since I did't find anything
in the archives, I post it here.
There seems to be a bug in kernels 2.2.x (tested on 2.2.7 and 2.2.9), that
causes them to panic when they are sent a large number of specific ICMP
packages. I think the problem comes from the combination of the mangled
header length (shorter or longer ihl's don't cause hangup) and the random
ICMP packets (random type/subtype and source address) this program sends.
Windows 9x and FreeBSD 3.0 seem to be unaffected.


I think the most interesting thing is the date, though... I'm sure I'm making a timezone mistake here, but isn't that 8 hours ago? Is that faster or slower than the Linux teardrop fix?

It's annoying to find out about a new DOS attack, but the resolution is all that you could hope for.

It's a little less annoying that there don't seem to be any outstanding instant-crash attacks against Win98 to laugh about - they finally fixed the series of attacks that crashed 95 for 8 months straight, and I haven't seen anything since. Did Microsoft finally get their IP stack right?

TOASTED PATCH!

[Bilbo]

Uh... before you apply this patch, notice that the "less-than" in the icmp line should actually be doubled (i.e., a left shift opperation)! The second less-than symbol got swallowed somewhere in the HTML conversion.

Re:Da patch...

[maw]

Justin said linux/net/ipv4/ip_options.c . This seems obvious to people who've been using Unix for years, but to newbies it apparently doesn't; I'll explain.

linux/ means the directory where the Linux kernel sources live. Typically, when one refers to linux/ one means /usr/src/linux/ although this isn't a given. net/ means the dibdirectory called net/ ; ipv4/ means the subdirectory of net/ called ipv4/ ; ip_options.c is the file you want to edit. You want to open this file with your favorite text editor, preferably one that displays line numbers somewhere. (You can toggle whether emacs displays your current line number with M-x line-number-mode.) To comment out C code, you can use /* ... */ . Comments like these can't be nested. It's pretty easy to comment out large sections of code like this. (You'll fairly often see people using // for comments in C code, but it's a bad idea, and you shouldn't do it. Don't Be That Guy (tm)!)

HTH

Da patch...

[Vladinator]

How about in future articles, you post a link to the patch as well? This would be very helpful to newbies like myself who don't quite know where to find everything yet...

And I JUST compiled 2.2.9 today!!! Arrgh!
"I have no respect for a man who can only spell a word one way." - Mark Twain