[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: TCP stack attack?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: TCP stack attack?
From: coderman <coderman@xxxxxxxxx>
Date: Sun, 24 Oct 2010 20:38:11 -0700
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Sun, 24 Oct 2010 23:38:20 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=8Jqagz1TK5A5ax3Ys9nfXHXMrLix27jJLT/vNafaqMA=; b=SCu122f/SIh6gq3YWHLvdvY7WXW4QtP8UJGEKWVPbbBn3L/dxAOaYBOt7UTeYp49Jh /LNmg/NjLgEbSjIYqZ0Q/DyJB9EApWLaoDAv5O6aF9+vqCzcmKbm9QlPyv8VClObiBCY EpJMN3cp+AWO5P8WHu7bf2eTcxU8fn1bWXnTM=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=LNPDwN2DcLp+YysX5AMVIjUkAmKCc0SFKGGgtyA3Ol85yvXUZVGMJIEbG8Y0g1wK+M nc5rl5wgh6L9VjPM04E7zIL+zCE+RtzSF++IsCQk8JD4/hZ9h/KdTDy00T7pyLnWIaPc mhAAtAYK4v6DznCSZlXtPRGc2ft2RPc/bdmaU=
In-reply-to: <AANLkTimEm75ZW9vZ_zP275jZ91QcSTu5xtiXshFmQdNR@xxxxxxxxxxxxxx>
References: <AANLkTim-piP6j4TPO9f4K5rzNFg0sh3LZQE0Ef7TzbA9@xxxxxxxxxxxxxx> <20101023175947.20478894@xxxxxxxxx> <AANLkTimEm75ZW9vZ_zP275jZ91QcSTu5xtiXshFmQdNR@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On Sun, Oct 24, 2010 at 8:28 PM, coderman <coderman@xxxxxxxxx> wrote:
> ...
> 1.  remote ring0 do happen, c.f. CORE-2007-0219: OpenBSD's IPv6 mbufs
> remote kernel buffer overflow.

Forgot to link to the announce in question; it is worthy of a read if
only to emphasize why any claim of immunity from a broad class of
threats with blanket assurance is a strong claim best made after
thorough and extensive effort to prove it to yourself via technical
applied testing and measurement.

http://www.coresecurity.com/content/open-bsd-advisorie
"OpenBSD's IPv6 mbufs remote kernel buffer overflow"
2007-02-20: First notification sent by Core.
2007-02-20: Acknowledgement of first notification received from the
OpenBSD team.
...
2007-02-26: OpenBSD team communicates that the issue is specific to
OpenBSD. OpenBSD no longer uses the term "vulnerability" when
referring to bugs that lead to a remote denial of service attack, as
opposed to bugs that lead to remote control of vulnerable systems...
2007-03-05: Core develops proof of concept code that demonstrates
remote code execution in the kernel context by exploiting the mbuf
overflow.
2007-03-05: OpenBSD team notified of PoC availability.
2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source
tree branches and releases a "reliability fix" notice on the project's
website.
...
The OpenBSD kernel contains a memory corruption vulnerability in the
code that handles IPv6 packets. Exploitation of this vulnerability can
result in:

1) Remote execution of arbitrary code at the kernel level on the
vulnerable systems (complete system compromise), or;

2) Remote denial of service attacks against vulnerable systems (system
crash due to a kernel panic)

The issue can be triggered by sending a specially crafted IPv6
fragmented packet.

OpenBSD systems using default installations are vulnerable because the
default pre-compiled kernel binary (GENERIC) has IPv6 enabled and
OpenBSD's firewall does not filter inbound IPv6 packets in its default
configuration.

However, in order to exploit a vulnerable system an attacker needs to
be able to inject fragmented IPv6 packets on the target system's local
network.
...
"""
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

References:
- TCP stack attack?
  - From: Julie C
- Re: TCP stack attack?
  - From: Robert Ransom
- Re: TCP stack attack?
  - From: coderman

Prev by Author: Re: TCP stack attack?
Next by Author: Re: DNS with Tor (compared to VPNs).
Previous by thread: Re: TCP stack attack?
Next by thread: Three circuit hops as default.How does this function?
Index(es):
- Author
- Thread