Remotely Crash OpenBSD
*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.
I'm thinking that if someone from Microsoft stated "It's just a crash" the editors here would be just a touch more sarcastic...
I don't think the IPv6 install is the default. Even if it is, 'it's just a crash' not a remote hole. So, yes they can still boast.
A programmer is a machine for converting coffee into code.
I'd rather have a box crashed than a box rooted. But maybe I'm just funny that way.
Fwiw, I wouldn't go into riot mode over four monosyllable words taken out of context be it from MS or OBSD. Of course, this is /. and that nice little blurb will most certainly cause a lot of banner hits as people will just have to comment. I can personally attest to 3 to get this post up.
I don't want knowledge. I want certainty. - Law, David Bowie
A non-serious cracker might have fun taking down OpenBSD a few times with an exploit like this. A more serious cracker would do this to try to convince some number of systems to stop running the most secure OS that's reasonably available and replace it with more vulnerable systems that aren't getting spanked a lot.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'd find the OpenBSD crew's haughty "more secure than thou" attitude a lot more annoying if it weren't for the fact that their track record actually justifies it. The fact that you can still count the number of remote exploits using a two-bit register is pretty impressive.
yes, when I saw this and noticed people commenting on the "Securer than tho" stance taken, my immediate thought was
"Hmm, well if we have gotten to the point where people have to roll their own net stack or patch a kernel to bring an issue to the for, then hasnt hte OpenBSD project succeeded in its goal?"
The day Microsoft has half the kind of security track record as OpenBSD, they'll be cut some slack.
OpenBSD had earned a little slack. MS still has a long way to go in system security/stability before they deserve the same treatment.
What crackpipe have you been using? It must greatly enhance the smoking experience. The funding was not pulled "pulled moments before it was to be paid," the funds were already greatly used. There was about three months left before the funding from POSSE was ended. Theo does not seem like an ass to me, he does instead seem like someone that dismisses stupid shit that random people say because he has better things to do.
I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
A "remote hole" doesn't have to just be obtaining root access. Being able to remotely crash a server is almost as bad. So no, they cannot boast.
As a sysadmin of a college network, "just a crash" *really* helped me.
I replaced all firewalls with OpenBSD filtering bridges. One rather persistent script kiddie (unfortuneately a legitimite $luser on the network) decided to send a few malformed packets here, there and everywhere. One of these crashed the filtering bridge at the edge of that particular subnet.
Immediately no packets enter or leave that subnet and I get about 40 phone calls "the internet is broken / my session crashed..." and go and deal with it.
Just a crash, saved several boxes. By contrast, accessible linux machines, privelege escalation - root exploit. All over.
Now if only the average windows box would *only* bluescreen in response to being cracked/ infection with the latest...rather than sending mal packets everywhere. Then infection would be self limiting and the world would be a better place.