fork bomb attack
Kyrre Ness Sjobak
kyrre at solution-forge.net
Sat Mar 19 16:04:54 UTC 2005
lør, 19.03.2005 kl. 15.49 skrev Paul Iadonisi:
> On Sat, 2005-03-19 at 15:20 +0100, Kyrre Ness Sjobak wrote:
>
> [snip]
>
> > or print to a
> > remote machine called "localhost" - thats effectively a forkbomb...
>
> Ewe! That sounds like an insanely simple exploit. Anyone want to
> confirm this? If it's that easy, I'd call it bug.
I tried reporting it, but it was closed as a "configuration error". Oh
dear, having somebody walk up to your (wireless) nettwork, connecting a
laptop with hostname "localhost" sharing a printer, and pressing print
on one of the connected public terminals (which, just to make it funny,
are thin clients).
What effectively happens, is that the terminal sends the job to
localhost - i.e. itself, which sends the job to localhost, which sends
the job to localhost. I also guess they are all waiting for some
confirmation "yup, printing finished" etc. Guess what happens to
/var/spool/cups...
Personally, would suggest that cups should do some kinds of sanity
checking on the hostnames it recives - such as "do they map to the same
host (IP) that sent the broadcast pacage? If not, just use the IP and
screw the hostname - at least internally in CUPS." But if it *shows* a
"thrusted" printserver (such as TopSecretPrinter at Securehost") name, but
really sends it to "PostscriptDumpPassthrough at SpyHost" (Spyhost claiming
it is Securehost, cups see it, guesses it is a misconfig - and ignores,
sending to SpyHost), things could get really interesting...
Kyrre Ness Sjøbæk
More information about the devel
mailing list