Slashdot Mirror
Remotely Crash OpenBSD
*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.
I think it's time to upgrade to windows.
I am defenseless. Use your button. Mod me down with all of your hatred.
Or can OpenBSD still boast "Only one remote hole in the default install, in more than 7 years!" ?
--
Society has traditionally always tried to find scapegoats for its problems. Well, here I am.
I'm thinking that if someone from Microsoft stated "It's just a crash" the editors here would be just a touch more sarcastic...
No, in order to perform an attack on an OpenBSD box with this vulnerability you need to patch a Linux Kernel or roll your own network stack.
Join moola.com, play games to earn money.
I know that the problem has been fixed in -current, but I run a production box that I refuse to bring up to -current. There's no patch or even a mention of this problem on the errata page.
What's a sane admin to do?
No, the ATTACKER has to patch their Linux kernel in order to attack you. So if I knew you were running OpenBSD and using IPv6 and knew your IP address, I could patch my kernel and then try to connect to your box, causing you to crash.
"People that quote themselves in their signatures bother me" - athakur999
They are saying that to exploit would require a patch to the Linux kernel.
I like your way better though!
You have to have a modified ipv6 stack in order to exploit this bug, not to fix it. I can remotely crash your ipv6 enabled openbsd if I modify my linux kernel. Capisce?
Remote openbsd crash with ip6, yet still openbsd much better than windows
i ng in this document may change without notice.
:
/* we coulnd't care less */ //joro
i net6/ip6_output.c e t/tcp_output.c?sortby=date
Systems affected:
tested on openbsd 3.4
not clear about netbsd
freebsd not vulnerable
Risk: Medium
Date: 4 February 2004
Legal Notice:
This Advisory is Copyright (c) 2004 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/obsdmtu.html
Anyth
Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
It is possible to remotely crash openbsd 3.4 if the host receives icmpv6
and there is a listening tcp port.
quoting de raadt: "it is just a crash."
remote crash which screws the kernel.
unknown whether this may be exploited for code execution.
Details:
The problem is triggered by setting small ipv6 mtu and then doing tcp
connect.
How to reproduce:
Patch linux kernel 2.4.24 net/ipv6/icmp.c
case ICMPV6_ECHO_REPLY:
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev);
then:
ping6 openbsd
ssh -6 openbsd
Workaround:
It is believed that openbsd current is not vulnerable.
netbsd current also seems to have related changes.
check:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netin
Vendor status:
open, net and free bsd were notified Sun, 1 Feb 2004 16:35:56 +0200
Georgi Guninski
http://www.guninski.com
Great, now when I try and check the linked article and cant get there I am left wondering if it was Slashdotted or if someone crashed the servers using the exploit.
Hell, who knows, maybe this one is Google's fault too.
...my BSD is dying...
I'd rather have a box crashed than a box rooted. But maybe I'm just funny that way.
Not log ago there was an article about not only how ipv6 isnt needed, but that since its 'new' code, it has a lot of problems that have long since been worked out of ipv4. Is this an example of that? Should we worry?
I have to ask myself that with all of the decades of experience that has gone into ipv4 development and hacking and exploiting, are these fears justified? Have all the glitches in ipv4 been found? and if so isnt it trivial to avoid the same early mistakes in ipv6. Does this particular problem have a ipv4 analog? Is it even a stack theory issue? Is it just an implementation oversight?
Does anyone have any insight?
Fwiw, I wouldn't go into riot mode over four monosyllable words taken out of context be it from MS or OBSD. Of course, this is /. and that nice little blurb will most certainly cause a lot of banner hits as people will just have to comment. I can personally attest to 3 to get this post up.
I don't want knowledge. I want certainty. - Law, David Bowie
A non-serious cracker might have fun taking down OpenBSD a few times with an exploit like this. A more serious cracker would do this to try to convince some number of systems to stop running the most secure OS that's reasonably available and replace it with more vulnerable systems that aren't getting spanked a lot.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'd find the OpenBSD crew's haughty "more secure than thou" attitude a lot more annoying if it weren't for the fact that their track record actually justifies it. The fact that you can still count the number of remote exploits using a two-bit register is pretty impressive.
yes, when I saw this and noticed people commenting on the "Securer than tho" stance taken, my immediate thought was
"Hmm, well if we have gotten to the point where people have to roll their own net stack or patch a kernel to bring an issue to the for, then hasnt hte OpenBSD project succeeded in its goal?"
The good thing about ports is that, due to their alcohol and tannin content, you *CAN* leave them open much longer than more typical wines. I have a nice port (Fonseca) sitting open on my bar at home. I take a couple of nips from it every evening, and then replace the glass stopper on the carafe. It is a wonderful way to end the work-day. Go grab yourself a 10-year Tawny and you'll see what I mean.
You do need to be careful with how many ports you have open. I find after a couple of ports my work product increases. After a few more, it tends to decrease, exponentially going downhill with each subsequent port. You need to be especially careful with a root prompt and several open ports late at night.
For extra kicks, blind taste a Tawny against a Madeira.
Enjoy.
I have something in common with Stephen Hawking...
now, how many times does this happens to your favorite OS vendor and their favorite web browser???
from the openbsd CVS:
Revision 1.82 / (download) - annotate - [selected], Wed Feb 4 08:47:41 2004 UTC (38 hours, 50 minutes ago) by itojun
Branch: MAIN
CVS Tags: HEAD
Changes since 1.81: +100 -18 lines
Diff to previous 1.81 (colored)
strictly follow RFC2460 section 5, last paragraph (sender behavior when path MTU 1280). bug found by Georgi Guninski. ok dhartmei
The day Microsoft has half the kind of security track record as OpenBSD, they'll be cut some slack.
OpenBSD had earned a little slack. MS still has a long way to go in system security/stability before they deserve the same treatment.
Wow! You've got a ton of porn on there!
What crackpipe have you been using? It must greatly enhance the smoking experience. The funding was not pulled "pulled moments before it was to be paid," the funds were already greatly used. There was about three months left before the funding from POSSE was ended. Theo does not seem like an ass to me, he does instead seem like someone that dismisses stupid shit that random people say because he has better things to do.
I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
To quote Theo, 'it is just a wardrobe malfunction.'"
A "remote hole" doesn't have to just be obtaining root access. Being able to remotely crash a server is almost as bad. So no, they cannot boast.
As a sysadmin of a college network, "just a crash" *really* helped me.
I replaced all firewalls with OpenBSD filtering bridges. One rather persistent script kiddie (unfortuneately a legitimite $luser on the network) decided to send a few malformed packets here, there and everywhere. One of these crashed the filtering bridge at the edge of that particular subnet.
Immediately no packets enter or leave that subnet and I get about 40 phone calls "the internet is broken / my session crashed..." and go and deal with it.
Just a crash, saved several boxes. By contrast, accessible linux machines, privelege escalation - root exploit. All over.
Now if only the average windows box would *only* bluescreen in response to being cracked/ infection with the latest...rather than sending mal packets everywhere. Then infection would be self limiting and the world would be a better place.
a complete clean room implementation using engineers that didn't read BSD TCP/IP code in school ...
...
yeah right