SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   OpenBSD Kernel Vendors:   OpenBSD
OpenBSD IPv6 MTU Processing Flaw Lets Remote Users Crash the Kernel
SecurityTracker Alert ID:  1008944
SecurityTracker URL:  http://securitytracker.com/id/1008944
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 4 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): OpenBSD 3.4
Description:   A denial of service vulnerability was reported in OpenBSD in the processing of IPv6 packets. A remote user can cause the system to crash.

Georgi Guninski reported that a remote user can send an IPv6 packet with a small MTU to the target system and then connect to the target system via TCP to cause the target system to crash.

NetBSD may also be affected.

Steps to reproduce the flaw are described in the Source Message.

The vendor was reportedly notified on February 1, 2004.

Impact:   A remote user can cause the target system to crash.
Solution:   The report indicates that OpenBSD has issued a fix that may correct the flaw. The fix is available via CVS:

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/ip6_output.c

Vendor URL:  www.openbsd.org/ (Links to External Site)
Cause:   Boundary error, Exception handling error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 8 2004 (OpenBSD Issues Fix) OpenBSD IPv6 MTU Processing Flaw Lets Remote Users Crash the Kernel
OpenBSD has released a fix.



 Source Message Contents

Subject:  [Full-Disclosure] Remote openbsd crash with ip6, yet still openbsd much better than windows


Georgi Guninski security advisory #66, 2004

Remote openbsd crash with ip6, yet still openbsd much better than windows

Systems affected:
tested on openbsd 3.4
not clear about netbsd
freebsd not vulnerable

Risk: Medium
Date: 4 February 2004

Legal Notice:
This Advisory is Copyright (c) 2004 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/obsdmtu.html
Anything in this document may change without notice.

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:
It is possible to remotely crash openbsd 3.4 if the host receives icmpv6
and there is a listening tcp port.
quoting de raadt: "it is just a crash."
remote crash which screws the kernel.
unknown whether this may be exploited for code execution.

Details:
The problem is triggered by setting small ipv6 mtu and then doing tcp
connect.
How to reproduce:
Patch linux kernel 2.4.24 net/ipv6/icmp.c :
case ICMPV6_ECHO_REPLY:
		/* we coulnd't care less */
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev); //joro

ping6 openbsd
ssh -6 openbsd

Workaround:
It is believed that openbsd current is not vulnerable.
netbsd current also seems to have related changes.
check:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/ip6_output.c
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet/tcp_output.c?sortby=date

Vendor status:
open, net and freebsd were notified Sun, 1 Feb 2004 16:35:56 +0200

Georgi Guninski
http://www.guninski.com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC