|
Remote openbsd crash with ip6,
![[pl]](/s/countries/pl.gif) Shadow Hawkins on Friday, 06 February 2004 21:13:32
from: http://www.guninski.com/obsdmtu.html
Georgi Guninski security advisory #66, 2004
Remote openbsd crash with ip6, yet still openbsd much better than windows
Systems affected:
tested on openbsd 3.4
not clear about netbsd
freebsd not vulnerable
Risk: Medium
Date: 4 February 2004
Legal Notice:
This Advisory is Copyright (c) 2004 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/obsdmtu.html
Anything in this document may change without notice.
Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
It is possible to remotely crash openbsd 3.4 if the host receives icmpv6
and there is a listening tcp port.
quoting de raadt: "it is just a crash."
remote crash which screws the kernel.
unknown whether this may be exploited for code execution.
Details:
The problem is triggered by setting small ipv6 mtu and then doing tcp
connect.
How to reproduce:
Patch linux kernel 2.4.24 net/ipv6/icmp.c :
case ICMPV6_ECHO_REPLY:
/* we coulnd't care less */
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev); //joro
then:
ping6 openbsd
ssh -6 openbsd
Workaround:
It is believed that openbsd current is not vulnerable.
netbsd current also seems to have related changes.
check:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/ip6_output.c
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet/tcp_output.c?sortby=date
Vendor status:
open, net and free bsd were notified Sun, 1 Feb 2004 16:35:56 +0200
Georgi Guninski
http://www.guninski.com
Remote openbsd crash with ip6,
![[se]](/s/countries/se.gif) Shadow Hawkins on Sunday, 08 February 2004 03:46:12
Patch are released for 3.4 and 3.3, read more at:
http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=107620070021131
Remote openbsd crash with ip6,
"OpenBSD is the most secure OS" })
Nice mistake that everyone can make, but it proves the point that nothing is 100% perfect.
Remote openbsd crash with ip6,
![[nl]](/s/countries/nl.gif) Carmen Sandiego on Tuesday, 02 March 2004 17:43:02
Didnt seem to affect me tough. What foul does accept icmp msgs anyway. :)
Remote openbsd crash with ip6,
The foul that wants working Path MTU discovery... unless you have set your MTU to be the lowest legit size of course.
Remote openbsd crash with ip6,
![[de]](/s/countries/de.gif) Shadow Hawkins on Monday, 08 March 2004 14:51:43
What MTU do I use on the giftunnel?
For Freenet6, it was 1280 (=lowest).
Remote openbsd crash with ip6,
1280, because that is what indeed is the lowest MTU common on all platforms.
BSD boxes work with 1280, Linux and Cisco with 1440. Some others have different mtu settings. As we support all platforms 1280 was the wisest choice.
As there currently are quite a number of tunnels out there 1280 is very reasonable at the moment even though all POPs have native connectivity inside at least Europe to most major IX's, though that depends on the ISP how they manage the routing.
|
![[ch]](/s/countries/ch.gif)
on Monday, 09 February 2004 14:13:33
Posting is only allowed when you are