Awww come on, Let the have their win. You're the kind of guy who tells a 3 year old their finger painting on the fridge is shit, aren't you.
Sent using BlackBerry® from Orange -----Original Message----- From: Marcus Meissner <[email protected]> Sender: [email protected] Date: Tue, 13 Mar 2012 23:17:41 To: Christophe Alladoum<[email protected]> Cc: <[email protected]> Subject: Re: [Full-disclosure] [iputils] Integer overflow in iputils ping/ping6 tools Hi, How is this different from writing a fork bomb? Ciao, Marcus On Tue, Mar 13, 2012 at 09:42:29AM +0100, Christophe Alladoum wrote: > ====[ Description ]==== > > An integer overflow was found in iputils/ping_common.c main_loop() function > which could lead to excessive CPU usage when triggered (could lead to DoS). > This > means that both ping and ping6 are vulnerable. > > > ====[ Proof-Of-Concept ]==== > > Specify "big" interval (-i option) for ping/ping6 tool: > {{{ > $ ping -i 3600 google.com > PING google.com (173.194.66.102) 56(84) bytes of data. > 64 bytes from we-in-f102.1e100.net (173.194.66.102): icmp_req=1 ttl=50 > time=11.4 ms > [...] > }}} > > And check your CPU usage (top, htop, etc.) > > > ====[ Explanation ]==== > > Here, ping will loop in main_loop() loop in this section of code : > {{{ > /* from iputils-s20101006 source */ > /* ping_common.c */ > > 546 void main_loop(int icmp_sock, __u8 *packet, int packlen) > 547 { > [...] > 559 for (;;) { > [...] > 572 do { > 573 next = pinger(); > 574 next = schedule_exit(next); > 575 } while (next <= 0); > [...] > 588 if ((options & (F_ADAPTIVE|F_FLOOD_POLL)) || > next<SCHINT(interval)) { > [...] > 593 if (1000*next <= 1000000/(int)HZ) { > }}} > > If interval parameter (-i) is set, then condition L593 will overflow (ie. > value > exceeding sizeof(signed integer)), making this statement "always true" for big > values (e.g. -i 3600). As a consequence, ping process will start looping > actively as long as condition is true (could be pretty long). > > As far as looked, this bug is unlikely to be exploitable besides provoking > Denial-Of-Service. > > > ====[ Affected versions ]==== > > Tested on Fedora/Debian/Gentoo Linux system (2.6.x x86_32 and x86_64) on > iputils > version 20101006. ping6 seems also to be affected since it's relying on same > ping_common.c functions. > > Since iputils is not maintained any longer > (http://www.spinics.net/lists/netdev/msg191346.html), patch must be applied > from > source. > > > ====[ Patch ]==== > Quick'n dirty patch (full patch in appendix) is to cast test result as long > long: > {{{ > 593 if (((long long)1000*next) <= (long > long)1000000/(int)HZ) { > }}} > > > ====[ Credits ]==== > * Christophe Alladoum (HSC) > * Romain Coltel (HSC) > > > -- > Christophe Alladoum - <[email protected]> > Hervé Schauer Consultants - <http://www.hsc.fr> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Working, but not speaking, for the following german company: SUSE LINUX Products GmbH, HRB 16746 (AG Nuernberg) Geschaeftsfuehrer: Jeff Hawn, Jennifer Guild, Felix Imendoerffer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
