Sunday, November 16, 2008

Fake Unix and Linux Advisory - The /dev/null Vulnerability

Hey again,

Here's a little something from 2003 (Remember way back then, when the future looked bright and almost anything seemed possible? ...me neither ;)

This is a humorous little fake CERT-like advisory concerning the implementation of /dev/null on all Unix and Linux operating systems and the disastrous effects of ignoring the problem. The bit I've put here was pulled from Ian's Humor Pages, which you might want to check out and find all the other funny stuff on there :)

Hope you enjoy it. I'm going away now to appease the "simple syndication" beast. Is this short enough for you, oh mighty and vainglorious Google RSS? ;)

Cheers,





From: lsloof@cirt.us (Dr. Lirpa Sloof)
Newsgroups: alt.security,comp.security.unix,comp.os.linux.security
Subject: CIRT Advisory CA-2003-0401: /dev/null Vulnerability
Date: 01 Apr 2003 08:21:28 GMT
Organization: Computer Incident Response Team (CIRT)
Message-ID: <advisory-ca-2003-0401@announce.cirt.us>
NNTP-Posting-Host: nimbus.thunder.net


CIRT Advisory CA-2003-0401 /dev/null Vulnerability
Computer Incident Response Team

Systems Affected

* Windows CE, ME, NT, 2000, XP, 98, 95
* Linux (all distributions)
* BSD-derived Operating Systems
* Solaris
* IRIX
* HP-UX
* Digital/Compaq Tru64 Unix
* AIX
* other Unix-compatible systems and Unix-compatibility libraries

Overview

There is a vulnerability in /dev/null on Unix systems, Unix-compatible
systems and those with Unix or POSIX compatibility libraries (including
Windows) that can be exploited to cause a denial-of-service condition
and could cause hardware damage to some systems in isolated cases.
Though rare, the possibility of hardware damage is the primary reason
why this advisory is being categorized as urgent.

I. Description

A vulnerability has been discovered with the algorithm most commonly
used to implement /dev/null on Unix and Unix-compatible systems which
can be used to cause damage to other software connected to it. In some
cases, this software damage can also trigger hardware damage. These
vulnerabilities can be exploited by a local user already logged into
the system for a denial-of-service. If used in conjunction with
remote exploit attacks, this could allow a remote attacker, worm or
virus to cause hardware damage on some systems. In even more rare
circumstances there are possibilities of bodily injury in bystanders.

II. Impact

The contemporary method of /dev/null drivers is described as the "high
suction algorithm" in comparison with the replacement that vendors have
made available for their systems. If a malicious user uses a program
with low-resistance logic to connect /dev/null back into itself,
the device goes critical and can be used for destructive purposes.
Once the /dev/null device driver enters a critical state, programs with
low-resistance logic will break, be consumed by /dev/null and expose
their standard input to the full force of /dev/null itself. Some examples
which have been verified in labs include the following:
* Programs which are consumed by /dev/null become permanent entry points
to /dev/null afterward.
* If standard input is redirected from any regular file, it will be
"sucked dry" and left empty. File permissions do not prevent loss
of data.
* If standard input is redirected from a directory, all the files and
directories within it will be sucked dry, recusrively removing an
entire directory tree.
* If standard input is redirected from a pipe or named pipe, it will
expose the full force of the critical state /dev/null to the program
on the other end of the pipe. As with direct linkage to /dev/null,
if the program contains logic too weak to resist the suction, it
will be consumed and permanently become a portal to /dev/null itself.
* If standard input is redirected from a keyboard device, the keyboard
will implode, crushing the keys. This has the possibility to cause
minor lacerations if anyone is typing on the keyboard at the time of the
implosion.
* If standard input is redirected from a mouse device, it will pop like
a weasel in a microwave oven.
* If standard input is redirected from a CRT monitor driver, the device
is unaffected because it already contains a vaccuum.
* If standard input is redirected from a disk driver, the drive will
be erased and the lubrication removed from the bearings. In lab tests
the disk platter has exited the drive at high speed in a random
direction. Note that if this occurs in a data center environment,
the platter is likely to embed itself in other computer hardware.
There is a risk of injury if a disk platter or other shrapnel from
the self-destructing disk drive should hit any person.
* If standard input is redirected from a network device, the results
have been very unpredictable. The effects appear to be mainly
confined within the local area network (LAN). In all cases, all
packets are sucked off the network.
* An ethernet hub is too weak to resist the suction and becomes a
vaccuum port for /dev/null.
* All ethernet switches and broadband network interfaces are immune
to the effects.
* In one home where a user-modified digital video recorder (DVR) device
was connected to the network, the existing recordings were erased.
But the device was running Linux so its own /dev/null created enough
suction that the pressure differential caused no further damage.
* In another home where a refrigerator was connected to the network,
all the food inside became freeze-dried.
* The most violent reaction was found where a home automation system
was connected to the network. The vaccuum came in contact with the
central air vents and sucked the air out of the house. Everyone
got out safely. But an infestation of termites in the house was
entirely suffocated.

III. Solution

Note that many of the mitigation steps recommended below may have
significant impact on your everyday home or office operations. Use
appropriate caution but also ensure that any changes made based on the
following recommendations will not unacceptably affect your ongoing use
of your computer and occupancy of your building unless you're certain
that a great danger exists in your circumstances.

Apply a patch from your vendor

Appendix A contains information provided by vendors for this advisory.
Please consult this appendix to determine if you need to contact
your vendor directly.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this
advisory.

Microsoft

The same patch as the fix for the March 17 buffer overflow in the
Windows Core DLL also fixes the high-suction algorithm. Note that
Windows systems are particularly vulnerable to the high-suction
algorithm because all the programs on Windows have weak logic and
are unable to resist the suction. Also, Microsoft has said that
there will be no patch for NT4 because they are unable to build a
new copy of the OS from source code. So NT4 not only sucks, but
it also blows.

Red Hat

Upgrade to kernel kernel-2.4.18-27.7.x (for RedHat Linux 7.x),
kernel-2.4.18-27.8.0 (for RedHat Linux 8.0) or later.

RedHat Linux 9.0 is not vulnerable.

SCO (Caldera)

Upgrade to OpenLinux 3.1.1, UnixWare 7.1.1, OpenUnix 8.0.0
or later.

Debian GNU/Linux

Upgrade to kernel kernel-image-2.4.18* or later for your system.

Mandrake Linux

Upgrade to kernel-2.4.19.32mdk-1-1mdk.* (for Mandrake Linux 9.0,
Corporate Server 2.1) or later.

Mandrake Linux 9.1 is not vulnerable.

SuSE Linux

Upgrade to kernel-2.4.19-20030324 updates (for SuSE Linux 8.1),
kernel-2.4.18-20030324 (for SuSE Linux 7.1-8.0) or later.

SuSE Linux 8.2 is not vulnerable.

Slackware Linux

For Slackware Linux, contact your vendor.

FreeBSD

Upgrade to FreeBSD 5.0 or later.

NetBSD

Upgrade to NetBSD-1.6.1 or later.

OpenBSD

Upgrade to OpenBSD 3.3 or later.

Solaris

Apply patch 114356-01 (Solaris 9), patch 114356-01 (Solaris 8)
or later.

IRIX

Apply update 20030201-01-P.

HP

Apply patch SSRT2322_2341_2384_2412_2439 (HP/Compaq Tru64 Unix).
For HP-UX, contact your vendor.

AIX

For AIX, contact your vendor.





, Mike




Please note that this blog accepts comments via email only. See our Mission And Policy Statement for further details.