Slashdot Mirror
Remotely Crash OpenBSD
*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.
No, in order to perform an attack on an OpenBSD box with this vulnerability you need to patch a Linux Kernel or roll your own network stack.
Join moola.com, play games to earn money.
No, the ATTACKER has to patch their Linux kernel in order to attack you. So if I knew you were running OpenBSD and using IPv6 and knew your IP address, I could patch my kernel and then try to connect to your box, causing you to crash.
"People that quote themselves in their signatures bother me" - athakur999
They are saying that to exploit would require a patch to the Linux kernel.
I like your way better though!
You have to have a modified ipv6 stack in order to exploit this bug, not to fix it. I can remotely crash your ipv6 enabled openbsd if I modify my linux kernel. Capisce?
Remote openbsd crash with ip6, yet still openbsd much better than windows
i ng in this document may change without notice.
:
/* we coulnd't care less */ //joro
i net6/ip6_output.c e t/tcp_output.c?sortby=date
Systems affected:
tested on openbsd 3.4
not clear about netbsd
freebsd not vulnerable
Risk: Medium
Date: 4 February 2004
Legal Notice:
This Advisory is Copyright (c) 2004 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/obsdmtu.html
Anyth
Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
It is possible to remotely crash openbsd 3.4 if the host receives icmpv6
and there is a listening tcp port.
quoting de raadt: "it is just a crash."
remote crash which screws the kernel.
unknown whether this may be exploited for code execution.
Details:
The problem is triggered by setting small ipv6 mtu and then doing tcp
connect.
How to reproduce:
Patch linux kernel 2.4.24 net/ipv6/icmp.c
case ICMPV6_ECHO_REPLY:
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev);
then:
ping6 openbsd
ssh -6 openbsd
Workaround:
It is believed that openbsd current is not vulnerable.
netbsd current also seems to have related changes.
check:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netin
Vendor status:
open, net and free bsd were notified Sun, 1 Feb 2004 16:35:56 +0200
Georgi Guninski
http://www.guninski.com
You appear to be missing the whole problem.
This is a problem with OpenBSD's IPv6 implimentation where if you send bad data, it looks like sending something larger then expected, then the kernel will crap out on you.
The rolling your own kernel OR build your wn network stack is whats required for the REMOTE host to send these bad packets to your system and crash it.
On an unrelated note, its a little disturbing to see this as i just rebooted a OBSD 3.3 system to upgrade to 3.4, but then again, I don't run IPv6.
What I would say is most suspect is Theo's reaction "Its just a crash." You would hope someone who started a project to create the worlds most secure OS would actually care there might be a problem.
"I use a Mac because I'm just better than you are."
Give it a little time. THey usually patch -current first to test it out, then backport the patches to -stable. Patching -current first saves time in the long run, in cases like this where its not really a MS level issue :) IF it was more serious, -stable would get the patch first, and then it would be ported into -current.
No. They use very different kernels, though a lot of code is shared among them.
The original NT TCP/IP stack was from BSD. They've sinced ripped it out and put in their own.
Nope. Microsft bought the STREAMS implementation of TCP/IP from Spyder, Inc.
The only TCP/IP-related bits MS took from BSD were a few utilities like ftp.exe and telnet.exe. The actual TCP/IP stack is not related to BSD in any way.
It's been patched in -current for 3 days now.
I'm glad they fixed it..
e ti net6/ip6_output.c.diff?r1=1.81&r2=1.82&f=h i ne t/tcp_output.c.diff?r1=1.106&r2=1.107&sortby=date& f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/n
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/net
[alk]
now, how many times does this happens to your favorite OS vendor and their favorite web browser???
from the openbsd CVS:
Revision 1.82 / (download) - annotate - [selected], Wed Feb 4 08:47:41 2004 UTC (38 hours, 50 minutes ago) by itojun
Branch: MAIN
CVS Tags: HEAD
Changes since 1.81: +100 -18 lines
Diff to previous 1.81 (colored)
strictly follow RFC2460 section 5, last paragraph (sender behavior when path MTU 1280). bug found by Georgi Guninski. ok dhartmei
First of all it's CowboyNeal.
Secondly, there's nothing wrong with his statement. In order to exploit the bug, you need to be running a patched Linux kernel to send the necessary packet.
How is this funny? Pinging IPv4 address with IPv6? If you're going to make a joke, at least get it right.
-- The world is watching America, and America is watching TV.
Not only that, but for those blaming OpenSSH for making bad code that created the exploit, it was one that had been present since ossh (the free ssh implementation the OpenBSD team used to make OpenSSH).
I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
There have actually been a number of local and remote root holes in the default install of OpenBSD during that time frame..the only sense in which their claim is true is that they don't count root holes except in the head of the CVS tree. If a release from a year ago had the hole, but the current tree does not, they don't count it.
For example, a couple of years ago there was a telnetd exploit discovered after OpenBSD had disabled telnetd by default in OpenBSD-current, but a recent prior release had shipped with telnetd enabled. That allowed them to rationalize not counting it as a remote hole. There are a number of other similar examples.
Not only that, but the winsock API almost exactly mirrors Unix. Microsoft even uses the word BSD several times in the documentation.
I beg to differ.
// hdw
Removing unused features/services/functions does add to your overall security and system stability.
If you don't use IPv6 then taking it out of your kernel is a good move.
But I agree to a point, just rampaging thru you kernel config removing fluff isn't security.
Done in a sane way it's an addition to security and stability.
Executive Pope (small) Kallisti Engineering
It's hard to believe there is 'heavy' use of IPv6 when the dedicated IPv6 exchange in the UK peaks at 4Mbit/s of traffic and the LINX exchange in London has >30Gbit/s of IPv4 traffic
https://lg.ipv6.btexact.com/lgmrtg/hopper-day.html
http://www.linx.net/tools/stats/index.thtml