[Full-Disclosure] THREATCON back up!
silvio at big.net.au
silvio at big.net.au
Mon Sep 30 08:04:17 BST 2002
ok.. THREATCON(tm) is back up after resolving the previous segv issuess.
unfortunately - one of our research boxes was denial of serviced when it
ran out of file descriptors.
openbsd/src/sbin/ancontrol/ancontrol.c
has some code that does this
main
if (s)
close(s);
return (0);
well.. here at THREATCON research labs, we use execve wrappers around
this binary, where we do a close(0) to cut down on file descriptor usage,
before exec. for the above program, we noticed that the above close(s) didn't
actually close the socket because 0 is a valid file descriptor - and
was returned from a socket call, after we did the close(0) also what
about -1 in the above code? erm, nevermind.
the recommended patch is to remove the condition competely, since before that
it will exit() if socket() fails (where it checks for s < 0).
also. it is suspected that some code out there does fd checks like this
if (fd <= 0) failure
this is noteably incorrect, because as stated prior, 0 is a valid fd.
I recommend full auditing of all error checking associated with obtaining
a fd!
THREATCON status of "gravelly road", did not change with the release of this
advisory.
--
Silvio
Full-Disclosure is hosted and sponsored by Secunia.