Slashdot Mirror
Remotely Crash OpenBSD
*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.
You have to have a modified ipv6 stack in order to exploit this bug, not to fix it. I can remotely crash your ipv6 enabled openbsd if I modify my linux kernel. Capisce?
Remote openbsd crash with ip6, yet still openbsd much better than windows
i ng in this document may change without notice.
:
/* we coulnd't care less */ //joro
i net6/ip6_output.c e t/tcp_output.c?sortby=date
Systems affected:
tested on openbsd 3.4
not clear about netbsd
freebsd not vulnerable
Risk: Medium
Date: 4 February 2004
Legal Notice:
This Advisory is Copyright (c) 2004 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/obsdmtu.html
Anyth
Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
It is possible to remotely crash openbsd 3.4 if the host receives icmpv6
and there is a listening tcp port.
quoting de raadt: "it is just a crash."
remote crash which screws the kernel.
unknown whether this may be exploited for code execution.
Details:
The problem is triggered by setting small ipv6 mtu and then doing tcp
connect.
How to reproduce:
Patch linux kernel 2.4.24 net/ipv6/icmp.c
case ICMPV6_ECHO_REPLY:
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev);
then:
ping6 openbsd
ssh -6 openbsd
Workaround:
It is believed that openbsd current is not vulnerable.
netbsd current also seems to have related changes.
check:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netin
Vendor status:
open, net and free bsd were notified Sun, 1 Feb 2004 16:35:56 +0200
Georgi Guninski
http://www.guninski.com
Nope. Microsft bought the STREAMS implementation of TCP/IP from Spyder, Inc.
The only TCP/IP-related bits MS took from BSD were a few utilities like ftp.exe and telnet.exe. The actual TCP/IP stack is not related to BSD in any way.
now, how many times does this happens to your favorite OS vendor and their favorite web browser???
from the openbsd CVS:
Revision 1.82 / (download) - annotate - [selected], Wed Feb 4 08:47:41 2004 UTC (38 hours, 50 minutes ago) by itojun
Branch: MAIN
CVS Tags: HEAD
Changes since 1.81: +100 -18 lines
Diff to previous 1.81 (colored)
strictly follow RFC2460 section 5, last paragraph (sender behavior when path MTU 1280). bug found by Georgi Guninski. ok dhartmei
There have actually been a number of local and remote root holes in the default install of OpenBSD during that time frame..the only sense in which their claim is true is that they don't count root holes except in the head of the CVS tree. If a release from a year ago had the hole, but the current tree does not, they don't count it.
For example, a couple of years ago there was a telnetd exploit discovered after OpenBSD had disabled telnetd by default in OpenBSD-current, but a recent prior release had shipped with telnetd enabled. That allowed them to rationalize not counting it as a remote hole. There are a number of other similar examples.