About cphr Latest post Taking advantage of File Descriptor exhaustion bugs January 20, 2011 Recently I saw an email at Full Disclosure ( here & here ?), which provides a typical File Descriptor exhaustion bug and I decided to use it as a demonstration bug for this post. There are situations in which a File Descriptor exhaustion issue can help when trying to take advantage of certain conditions (in many cases local). In most of these cases exploitation will involve some kind of race condition.
The example described bellow aims in disabling a Linux security countermeasure and possibly of other OSs which implement the same type of protection in a similar way. Note that below I am demonstrating this issue in older kernel/libc versions due to changes in the way that this protection is implemented in newer versions which protects against this.
Environment: manos@jaunty:~/p/ke$ uname -a Linux jaunty 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux manos@jaunty:~/p/ke$ sudo aptitude show libc6 Package: libc6 State: installed Automatically installed: no Version: 2.9-4ubuntu6.3 Priority: required Section: libs Maintainer: Ubuntu Core developers Uncompressed Size: 11.2M Depends: libgcc1, findutils (>= 4.4.0-2ubuntu2) Suggests: locales, glibc-doc, libc6-i686 Conflicts: libterm-readline-gnu-perl (< 1.15-2), tzdata (< 2007k-1)