Linux distributions still vulnerable to fork bombing

By Derek Sooman on March 20, 2005, 2:59 AM
A fork bomb is a UNIX system attack, commonly written in one line of C or shell code, that "explodes" by recursively spawning copies of itself, until it eats all the process table entries and brings the system down. It’s been known about for a long time, and it would be expected that modern Linux distributions would be immune to this kind of attack. Think again.

I wrote up a very simple bourne shell script on my work machine, which runs Mandrake Linux, and executed it under my non-privileged account. Within seconds, the machine was brought to its knees -- totally crippled and unusable. I stared at my screen in disbelief for a few moments, totally stunned with what had just happened.

The author of the article tested on Mandrake, Red Hat, Gentoo and other distributions and found the problem to still exist.

[15:16:53] <@darks> but I mean, I could have killed ur box
[15:17:04] <+IronBar> no, you couldn't have.
[15:17:08] <@darks> wanna bet ?
[15:17:27] <@darks> forkbomb it




User Comments: 29

Got something to say? Post a comment
timchay said:
I am Think about using Linux Mandrake for and offic Network for a Laywer. Do you think that i am going to run into the same issue
Phantasm66 said:
Mandrake was one of the effected systems. I am trying to get the test code from somewhere. If anyone has a test script, please post it.
mangoo said:
Who writes such stupid articles?Every system is vulnerable to user errors.Why would anyone want to fork bomb oneself?If you run a system with accounts open to everyone, just put a memory/process limit for users, and problem solved.Perhaps the next post of this guy would be "XY system vulnerable, because user can format drive / press reset button / etc."?
mangoo said:
BTW, is Windows immune to fork bombs?
rsherrell said:
Mangoo,Are you just a little dim? The point is that the Linux OS could be exploited by a piece of Malware from outside because of this weakness in the OS. The test was run under an account that was nonprivileged. So a piece of Malware could launch a worldwide Linux OS DOS. Hopefully there is a Linux code change that will prevent this from happening.Quit being so arrogant and just pitch in and help rather than slamming people that write articles that at least inform us. What we do with the information is then up to us, not based upon whether you think it is a stupid article.
me(who else?) said:
Windows is vulnerable too. All you need to do is write two batch files which open each other in a new window.I.E. :forkcmd /F fork.batGOTO fork
mangoo said:
rsherell: it's not a flaw.by default ALL operating systems I'm aware of have it - that is, allow all users to run as many processes as they want, and use as much memory as they want.One simple change in Linux is edit /etc/security/limits.conf file and modify how many processes, memory, CPU etc. a user can use - see post by "me(who else?)" - oh, Windows affected too?And how about this flaw (all Linux and UNIX versions vulnerable):Non-privileged user can remove his/her all files by typing "rm -rf ~" in a command prompt, and possibly denying future logins by that, and ruining his/her career.This can be easily exploited by sending an email stating "see hot chicks by running 'rm -rf ~' on your Linux box".That is, one can destroy his Linux account by typing just 8 characters!How about that one?
Phantasm66 said:
[b]Originally posted by rsherrell:[/b][quote]Quit being so arrogant and just pitch in and help rather than slamming people that write articles that at least inform us. What we do with the information is then up to us, not based upon whether you think it is a stupid article.[/quote]I would have to say that I do agree with this stance. Being negative is not helping anything. Thanks rsherrell.
Mictlantecuhtli said:
In sh, it would be :(){ :|:& };:Or a script:#!/bin/sh $0 & exec $0Or with Perl, perl -e "fork while fork"Tested using GNU bash, version 2.05b.0(1)-release (powerpc-apple-darwin7.0) and perl, v5.8.1-RC3 built for darwin-thread-multi-2levelHave fun :Pedit: | should be the vertical line used in pipes.
Mictlantecuhtli said:
To protect against this in Linux, edit /etc/limits.conf (see man limits.conf), or use command 'ulimit -u 50' or whatever you want the limit to be.
rsherrell said:
Well Mangoo,I guess you are just too set in your ways to get the message. I didn't say "Flaw" in my email, did I. Obviously this is something that can be mitigated with the right settings. Also, the rm command has been a trap in Unix since the beginning. You cannot protect everything from everyone or computers wouldn't accessible to the general public. Also, the rm command is only dangerous to the User that entered it unless the User has Root privileges and decides to enter your command string from the root of a volume. The Fork problem would affect everyone using the system regardless of privileges.Obviously there exist traps like this in all operating systems at all levels. Even mainframes can be brought to a grinding halt by relatively simple mistakes.The real point is to educate, train, exchange ideas, make the OS's better piece by piece. It's way too wild out there to setup armed camps and just through insults over the walls. It is also self-defeating.Insulting people is just worthless, demeaning and unnecessary. Learn to communicate without insults or arrogance.Also, thanks for the reinforcement comment Phantasm66.:)
---agissi--- said:
[b]Originally posted by me(who else?):[/b][quote]Windows is vulnerable too. All you need to do is write two batch files which open each other in a new window.I.E. :forkcmd /F fork.batGOTO fork[/quote]I tried this and it doesnt work - just opens up a cmd prompt with cmd /f fork.bat at the top and the usual MS copy right/windows/ opening text at the top then the C: open cmd input.. how could u do it with batch files?
xandork said:
REM by poetfreakREM name this redo.bat - BTW you are reaching here.REM stop this when the screen starts to slow or you willREM lock up your computer.for %%a in (*.*) do redo.batecho yeah right.
mangoo said:
rsherrell: sorry, didn't mean to insult anyone.But I don't like pople writing articles that are technically uncorrect :)So imagine this (let's start and correct the title to "ALL Operating systems vulnerable! world in danger!")1) we have a fork bomb flaw -> so we limit number of processes to a small number (what is a good default?) -> problem solved? no ->2) even with small number of processes we can use up the whole memory ->3) so we limit number of processes to 2 (with 1 we could only login and not even logout)4) but hey, we can still use up the whole memory -> we limit it per user (what is the sane default for 486 with 16 MB RAM and for x86_64 with 2 GB RAM?)5) OK, so now we're safe? no, we aren't. ->6) we can't use fork bomb, or use up the whole memory, so we'll consume the whole CPU time ->7) so we introduce yet another limitation ->8) no fork / memory / CPU bomb, hmm, we're safe? no we're not ->9) we will use the whole bandwidth, so even admin won't log in to that box 10) so poor admin introduces new sane defaults -> 2 processes, max 8 megs of RAM per user, 2 kB of upload/download (what is the sane default for dialup modems and for 1 GB ethernet)? what a usable system we have so far.11) but even then, user fills the syslog with logs (sends mails in a loop or something like that), and the system malfunctions again... and so on.So now go on guys, write 11 articles on "how Linux vulnerable is" (I could write some more points if we split the money you earn by writing these nonsense articles)?
phantasm66 said:
The point is that this is a problem with the kernel that should have been fixed by now, and HAS BEEN FIXED on some Linux distributions and not on others. Its not about saying Linux is insecure - all operating systems are insecure by nature. I do see some of what you are saying (when I can make my way through the minefield of your spelling and punctuation mistakes) but I think in calling other people's work "nonsense" and so forth you are really being quite dismissive and slightly ignorant. I am not trying to have a go at you (I have no interest in that) I am just saying that maybe you should be more constructive, that's all. You obviously have some experience in this area so why not tell us all about what you would do to secure your system against this kind of vulnerability.
mangoo said:
phantasm66: I've already said in comment #6 - see your /etc/security/limits.conf file, you have there it explained with examples.And it's not a kernel flaw, by saying that you're just telling lies, sorry.What is the sane default for a number of processes for an old i486 (still in use) and for a modern AMD64 processor?What is the sane default for CPU usage on these two processes?What is the sane default for memory for a system with 16 MB RAM, and for one that has 2 GB of RAM?There is none.It should be worth noting that this "flaw" is only exploitable by a local user that is logged in either locally or by some means of remote access like SSH - it is not that clear for a non-technical user, who might think that one can bring down Linux boxes just by using IRC.In other words: if someone runs a system with shell accounts open to untrusted people from all over the world is either insane (if runs just a default system shipped by a vendor, with no modifications), or *REALLY* knows what is doing and customized the system approprietly (see sourceforge.net and other similar systems offering thousands of free shell accounts and try to stop them with these "fork-Linux-vulnerability").
dingletec said:
This "vulnerability" is annoying, but it's not limited to malicious users... I have done it many times to my own systems in various bash scripts. You have a script scheduled in cron that fails for some reason, without any way to gracefully exit on failure, so over time they build up and slow your system to nothing. There is nothing you can do at that point but hit the reset button. That happened to me first out of ignorance, then out of laziness. Never in the 8 years as the admin of several linux systems has this happened any other way. It's always been my fault, I'm my own worst enemy. My systems have never been breached, even those directly connected to the internet. Some of them have had uptimes of almost 500 days. I guess my point is that while this article points out a valid issue, it is just something you deal with until something is done about it. I'm not bothered by it. All you can do is control who has access to you systems.Of course, the same thing happens on my Windows servers occasionally. Not long ago, someone was using a server for webbrowsing, and of course spyware/etc slowed the system to a crawl. I'm not going to mention Windows desktops, of course. But too many processes will kill any system I have experience with, so it's not limited to linux/unix
dingletec said:
Thanks for posting the responses containing /etc/security/limits.conf and ulimit, so much to learn, so little time. It doesn't excuse bad coding on my part, but it will limit the damage my mistakes do.
Soul Harvester said:
The author made a fatal flaw in his credibility when he said "Gentoo"Anyone who uses gentoo, aside from the very small amount of genkernel users, is forced to compile their own kernel - Which means the actual fault, being that users can launch as many processes as they want, lies with the person who configured the kernel to be used. Unlike Fedora, Mandrake, et cetera, there is no official kernel in gentoo - it's no mans land and has nothing to do with the distro itself.That article is mostly rubbish mixed with common sense.
---agissi--- said:
[b]Originally posted by xandork:[/b][quote]REM by poetfreakREM name this redo.bat - BTW you are reaching here.REM stop this when the screen starts to slow or you willREM lock up your computer.for %%a in (*.*) do redo.batecho yeah right.[/quote]this worked, but it ended/stopped after about 10secs. (so really it didnt) [Edited by ---agissi--- on 2005-03-21 14:18:34]
Soul Harvester said:
p.s. abovementioned "exploit" does not work on my machinegentoo linux 2.6.9 kernel
Soul Harvester said:
To show how useless of a report this was I just created a simple machine-halting batch file. This is a fully updated Windows XP machine with Service Pack 2, on a non-admin user.The code is as follows:A file named go.bat:echo blah blah blahstart cmdstart cmd go.bat /Cgo.batAfter a few minutes the machine was brought to a grind, eventually it stopped repsonding altogether. Just goes to show how useless of a report that was. You might as well have stated, "The machine is vulnerable to someone who actually sits down and uses it."Well duh.
---agissi--- said:
what does the /C command do here Soul?
phantasm66 said:
Well, I am more into the bash shell and stuff in UNIX, but I do believe that /C means carry out the command specified by the string or the filename... am I right?
colin.horne said:
People - relax, please!Thank you to the author for sharing a potentially serious security problem. Thank you to all the users who've explained how to fix it (/etc/security/limits.conf). Thank you to those who've corrected the author, pointing out that it's a configuration error more than a kernel bug.Now, could we please find a kernel bug, and stop arguing :-)Cheers--Colin
---agissi--- said:
Pretty sure the last 2 posts before you wernt arguing.. P66: Why put go.bat /C when go.bat will run out the file/execute the file? why would you need the /C?
phantasm66 said:
[b]Originally posted by colin.horne:[/b][quote]People - relax, please!Thank you to the author for sharing a potentially serious security problem. Thank you to all the users who've explained how to fix it (/etc/security/limits.conf). Thank you to those who've corrected the author, pointing out that it's a configuration error more than a kernel bug.Now, could we please find a kernel bug, and stop arguing :-)Cheers--Colin[/quote]That was pretty well said. Thank you.
Soul Harvester said:
[b]Originally posted by ---agissi---:[/b][quote]what does the /C command do here Soul?[/quote]It causes CMD to terminate after it is finished executing the batch. I figured this way I could have more windows, rather then fewer stalled windows. Not sure though on what the effect would be by removing it.
RaouL_BennetH said:
Hi all people :)First post for me, but i have great news for you.No forkbomb more on linux, just need a little setting.Set parameter "ulimit" made fork not usable on every unix and linux system.Bye allRaouL.
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.