Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remotely Crash OpenBSD

Posted by CowboyNeal on from the even-the-best-of-us dept.

*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.

19 of 407 comments (clear)

  1. Oh well... by Seoulstriker · · Score: 5, Funny

    I think it's time to upgrade to windows.

    --
    I am defenseless. Use your button. Mod me down with all of your hatred.
    1. Re:Oh well... by phoenix_rizzen · · Score: 5, Informative

      Nope. Microsft bought the STREAMS implementation of TCP/IP from Spyder, Inc.

      The only TCP/IP-related bits MS took from BSD were a few utilities like ftp.exe and telnet.exe. The actual TCP/IP stack is not related to BSD in any way.

    2. Re:Oh well... by HalliS · · Score: 5, Funny
      • I think it's time to upgrade to windows.


      Wrong. The openbsd people obviously included this "crash feature" just so that windows people could feel at home with OpenBSD. I think it's time for Windows folks to switch to OpenBSD.
      --


      My other UID is 1337
  2. Does this count? by DNAspark99 · · Score: 5, Interesting

    Or can OpenBSD still boast "Only one remote hole in the default install, in more than 7 years!" ?

    --

    --
    Society has traditionally always tried to find scapegoats for its problems. Well, here I am.
    1. Re:Does this count? by inertia187 · · Score: 5, Insightful

      I don't think the IPv6 install is the default. Even if it is, 'it's just a crash' not a remote hole. So, yes they can still boast.

      --
      A programmer is a machine for converting coffee into code.
    2. Re:Does this count? by Richard_at_work · · Score: 5, Interesting

      IPv6 is available in the base install, but you have to actually have an IPv6 address assigned that people can get to to exploit this issue. Its really a non issue for the 99% of people running OpenBSD out there, but for some, like myself, its time to upgrade.

    3. Re:Does this count? by kkenn · · Score: 5, Informative

      There have actually been a number of local and remote root holes in the default install of OpenBSD during that time frame..the only sense in which their claim is true is that they don't count root holes except in the head of the CVS tree. If a release from a year ago had the hole, but the current tree does not, they don't count it.

      For example, a couple of years ago there was a telnetd exploit discovered after OpenBSD had disabled telnetd by default in OpenBSD-current, but a recent prior release had shipped with telnetd enabled. That allowed them to rationalize not counting it as a remote hole. There are a number of other similar examples.

  3. Double standards? by Threni · · Score: 5, Insightful

    I'm thinking that if someone from Microsoft stated "It's just a crash" the editors here would be just a touch more sarcastic...

    1. Re:Double standards? by Anonymous Coward · · Score: 5, Funny

      if someone from Microsoft stated "It's just a crash"

      Yeah, but on Windows, how can you tell the difference?

      (Admit it, you asked for it)

  4. Patch for production systems? by agentZ · · Score: 5, Interesting

    I know that the problem has been fixed in -current, but I run a production box that I refuse to bring up to -current. There's no patch or even a mention of this problem on the errata page.

    What's a sane admin to do?

  5. RTFA by Anonymous Coward · · Score: 5, Informative

    You have to have a modified ipv6 stack in order to exploit this bug, not to fix it. I can remotely crash your ipv6 enabled openbsd if I modify my linux kernel. Capisce?

  6. Slashdotted by Anonymous Coward · · Score: 5, Informative

    Remote openbsd crash with ip6, yet still openbsd much better than windows

    Systems affected:
    tested on openbsd 3.4
    not clear about netbsd
    freebsd not vulnerable

    Risk: Medium
    Date: 4 February 2004

    Legal Notice:
    This Advisory is Copyright (c) 2004 Georgi Guninski.
    You may distribute it unmodified.
    You may not modify it and distribute it or distribute parts
    of it without the author's written permission - this especially applies to
    so called "vulnerabilities databases" and securityfocus, microsoft, cert
    and mitre.
    If you want to link to this content use the URL:
    http://www.guninski.com/obsdmtu.html
    Anythi ng in this document may change without notice.

    Disclaimer:
    The information in this advisory is believed to be true though
    it may be false.
    The opinions expressed in this advisory and program are my own and
    not of any company. The usual standard disclaimer applies,
    especially the fact that Georgi Guninski is not liable for any damages
    caused by direct or indirect use of the information or functionality
    provided by this advisory or program. Georgi Guninski bears no
    responsibility for content or misuse of this advisory or program or
    any derivatives thereof.

    Description:
    It is possible to remotely crash openbsd 3.4 if the host receives icmpv6
    and there is a listening tcp port.
    quoting de raadt: "it is just a crash."
    remote crash which screws the kernel.
    unknown whether this may be exploited for code execution.

    Details:
    The problem is triggered by setting small ipv6 mtu and then doing tcp
    connect.
    How to reproduce:
    Patch linux kernel 2.4.24 net/ipv6/icmp.c :

    case ICMPV6_ECHO_REPLY: /* we coulnd't care less */
    icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev); //joro

    then:
    ping6 openbsd
    ssh -6 openbsd

    Workaround:
    It is believed that openbsd current is not vulnerable.
    netbsd current also seems to have related changes.
    check:
    http://www.openbsd.org/cgi-bin/cvsweb/src/sys/neti net6/ip6_output.c
    http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netine t/tcp_output.c?sortby=date

    Vendor status:
    open, net and free bsd were notified Sun, 1 Feb 2004 16:35:56 +0200

    Georgi Guninski
    http://www.guninski.com

  7. Crash or Slash? by Halthar · · Score: 5, Funny

    Great, now when I try and check the linked article and cant get there I am left wondering if it was Slashdotted or if someone crashed the servers using the exploit.

    Hell, who knows, maybe this one is Google's fault too.

  8. It's called selective quoting by Flower · · Score: 5, Insightful
    Without seeing Theo's complete statement you can't tell if the statement is dismissive (something I find difficult to believe) or if it is qualifying - i.e. the exploit only produces a crash.

    Fwiw, I wouldn't go into riot mode over four monosyllable words taken out of context be it from MS or OBSD. Of course, this is /. and that nice little blurb will most certainly cause a lot of banner hits as people will just have to comment. I can personally attest to 3 to get this post up.

    --
    I don't want knowledge. I want certainty. - Law, David Bowie
  9. Re:Maybe time to drop this "securitier than thou" by ScottSpeaks! · · Score: 5, Insightful

    I'd find the OpenBSD crew's haughty "more secure than thou" attitude a lot more annoying if it weren't for the fact that their track record actually justifies it. The fact that you can still count the number of remote exploits using a two-bit register is pretty impressive.

  10. already fixed!!! by BigBadDude · · Score: 5, Informative

    now, how many times does this happens to your favorite OS vendor and their favorite web browser???

    from the openbsd CVS:
    Revision 1.82 / (download) - annotate - [selected], Wed Feb 4 08:47:41 2004 UTC (38 hours, 50 minutes ago) by itojun
    Branch: MAIN
    CVS Tags: HEAD
    Changes since 1.81: +100 -18 lines
    Diff to previous 1.81 (colored)
    strictly follow RFC2460 section 5, last paragraph (sender behavior when path MTU 1280). bug found by Georgi Guninski. ok dhartmei

  11. Track record by AvantLegion · · Score: 5, Insightful
    I'm thinking that if someone from Microsoft stated "It's just a crash" the editors here would be just a touch more sarcastic...

    The day Microsoft has half the kind of security track record as OpenBSD, they'll be cut some slack.

    OpenBSD had earned a little slack. MS still has a long way to go in system security/stability before they deserve the same treatment.

  12. Re:Oh wow by Nimrangul · · Score: 5, Insightful

    What crackpipe have you been using? It must greatly enhance the smoking experience. The funding was not pulled "pulled moments before it was to be paid," the funds were already greatly used. There was about three months left before the funding from POSSE was ended. Theo does not seem like an ass to me, he does instead seem like someone that dismisses stupid shit that random people say because he has better things to do.

    --
    I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
  13. Why does "remote hole" == elevation of privilege? by xswl0931 · · Score: 5, Insightful

    A "remote hole" doesn't have to just be obtaining root access. Being able to remotely crash a server is almost as bad. So no, they cannot boast.