what you don't know can hurt you

IPUtils Denial Of Service

IPUtils Denial Of Service
Posted Mar 13, 2012
Authored by Christophe Alladoum, Romain Coltel

An integer overflow was found in the iputils/ping_common.c main_loop() function. This issue can lead to a denial of service condition.

tags | exploit, denial of service, overflow
MD5 | 09bb65304c59851aca3737ad848f075b

IPUtils Denial Of Service

Change Mirror Download
====[ Description ]====

An integer overflow was found in iputils/ping_common.c main_loop() function
which could lead to excessive CPU usage when triggered (could lead to DoS). This
means that both ping and ping6 are vulnerable.


====[ Proof-Of-Concept ]====

Specify "big" interval (-i option) for ping/ping6 tool:
{{{
$ ping -i 3600 google.com
PING google.com (173.194.66.102) 56(84) bytes of data.
64 bytes from we-in-f102.1e100.net (173.194.66.102): icmp_req=1 ttl=50 time=11.4 ms
[...]
}}}

And check your CPU usage (top, htop, etc.)


====[ Explanation ]====

Here, ping will loop in main_loop() loop in this section of code :
{{{
/* from iputils-s20101006 source */
/* ping_common.c */

546 void main_loop(int icmp_sock, __u8 *packet, int packlen)
547 {
[...]
559 for (;;) {
[...]
572 do {
573 next = pinger();
574 next = schedule_exit(next);
575 } while (next <= 0);
[...]
588 if ((options & (F_ADAPTIVE|F_FLOOD_POLL)) || next<SCHINT(interval)) {
[...]
593 if (1000*next <= 1000000/(int)HZ) {
}}}

If interval parameter (-i) is set, then condition L593 will overflow (ie. value
exceeding sizeof(signed integer)), making this statement "always true" for big
values (e.g. -i 3600). As a consequence, ping process will start looping
actively as long as condition is true (could be pretty long).

As far as looked, this bug is unlikely to be exploitable besides provoking
Denial-Of-Service.


====[ Affected versions ]====

Tested on Fedora/Debian/Gentoo Linux system (2.6.x x86_32 and x86_64) on iputils
version 20101006. ping6 seems also to be affected since it's relying on same
ping_common.c functions.

Since iputils is not maintained any longer
(http://www.spinics.net/lists/netdev/msg191346.html), patch must be applied from
source.


====[ Patch ]====
Quick'n dirty patch (full patch in appendix) is to cast test result as long long:
{{{
593 if (((long long)1000*next) <= (long long)1000000/(int)HZ) {
}}}


====[ Credits ]====
* Christophe Alladoum (HSC)
* Romain Coltel (HSC)


--
Christophe Alladoum - <christophe.alladoum@hsc.fr>
Hervé Schauer Consultants - <http://www.hsc.fr>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close