-----Ursprungligt meddelande-----
Fr�n: David Schwartz <[EMAIL PROTECTED]>
Till: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Datum: den 20 januari 1999 01:17
�mne: Linux 2.0.36 vulnerable to local port/memory DoS attack
>
> I discovered an exploitable bug in Linux kernel 2.0.35 in September of
>1998. I reported it to the Linux developers. I was assured that this bug was
>part of a family of similar bugs that would soon be banished from the Linux
>kernel. In fact, I was told the release of 2.0.36 was being delayed to allow
>this bug, and others like it, to be fixed.
>
> Well, I just tested the exploit against a stock 2.0.36 kernel, and
>unfortunately, the attack still works. 2.1.x and the 2.2.x-pre builds are
>not vulnerable. A local unprivileged account is required to launch this
>attack. Multithreaded programs that work perfectly on other operating
>systems may accidentally trigger this bug on affected Linux systems.
>
> The effect of this bug is that anyone with a local account can permanently
>(until a reboot) steal any ports he or she wants (>1024, of course). It
>becomes subsequently impossible to listen on this port. Oddly, the kernel
>itself continues listening on the port and accepts incoming TCP connections.
>
> Kernel memory can be leaked in any quantity desired. Any number of ports
>can be made unusable.
>
> You will know if this bug has been exploited on your system because you
>will see sockets stuck permanently in the 'CLOSE_WAIT' state. The only cure
>is a reboot. As far as I can tell, there is no way to determine which user
>launched the attack once their process terminates. (I checked the uid field
>in the kernel, it's blank.)
>
> The way you trigger the bug is to open the port, and then while one thread
>selects on the port, another closes it. Due to the select, the close fails.
>The close can never happen again, as far as I know.
>
> The attached exploit code demonstrates the bug without harming the system
>too badly. Much more vicious exploits can be written trivially.
>
> David Schwartz
> <[EMAIL PROTECTED]>
>
killport.c
