Remotely Crash OpenBSD 407
*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.
Oh well... (Score:5, Funny)
Re:Oh well... (Score:2)
Didn't Microsoft swipe "their" XP TCP/IP stack from BSD? It'd be interesting to know if Windows could be crashed using the same exploit.
Re:Oh well... (Score:2, Informative)
Re:Oh well... (Score:5, Informative)
The only TCP/IP-related bits MS took from BSD were a few utilities like ftp.exe and telnet.exe. The actual TCP/IP stack is not related to BSD in any way.
And spyder inc. got their stack from (Score:5, Funny)
yeah right
Re:Oh well... (Score:4, Interesting)
Re:Oh well... (Score:5, Funny)
Wrong. The openbsd people obviously included this "crash feature" just so that windows people could feel at home with OpenBSD. I think it's time for Windows folks to switch to OpenBSD.
Re:Oh well... (Score:5, Funny)
Vice City relieves that.
Re:Oh well... (Score:2)
Until you read the newspaper the following morning.
Does this count? (Score:5, Interesting)
Re:Does this count? (Score:5, Insightful)
Re:Does this count? (Score:5, Interesting)
Re:Does this count? (Score:2)
Re:Does this count? (Score:2)
Most situations involving data being overwritten allow malicious control, not just crashes.
There very well may be a possible kernel level exploit (which is even worse than root level, since it can override security level settings - it can do anything).
Why does "remote hole" == elevation of privilege? (Score:5, Insightful)
Re:Does this count? (Score:2)
Re:Does this count? (Score:4, Insightful)
Personally I don't like random people crashing my servers, so I'd call it a hole!
Re:Does this count? (Score:2)
IIRC that was because the next version was already done.
Re:Does this count? (Score:3, Informative)
Not only that, but for those blaming OpenSSH for making bad code that created the exploit, it was one that had been present since ossh (the free ssh implementation the OpenBSD team used to make OpenSSH).
Re:Does this count? (Score:5, Informative)
For example, a couple of years ago there was a telnetd exploit discovered after OpenBSD had disabled telnetd by default in OpenBSD-current, but a recent prior release had shipped with telnetd enabled. That allowed them to rationalize not counting it as a remote hole. There are a number of other similar examples.
Re:Does this count? (Score:3, Insightful)
Just because they fixed it before it was reported doesn't mean it never existed -- or that it was never quietly exploited. This sort of semantic game detracts from the hard work that goes into OpenBSD. It may be no worse than the sort of word games used to market other software, but in an area like security where trust is paramount it needlessly raises suspicion.
Double standards? (Score:5, Insightful)
Re:Double standards? (Score:5, Funny)
Yeah, but on Windows, how can you tell the difference?
(Admit it, you asked for it)
Re:Double standards? (Score:2, Insightful)
Re:Double standards? (Score:2)
Regards
"Crash" vs. "Root Exploit" (Score:5, Insightful)
A non-serious cracker might have fun taking down OpenBSD a few times with an exploit like this. A more serious cracker would do this to try to convince some number of systems to stop running the most secure OS that's reasonably available and replace it with more vulnerable systems that aren't getting spanked a lot.
Maybe not... (Score:2)
Anyway, for this remote takedown to work, you also have to be running an IPV6 stack, right? At the moment that's a pretty small segment of techies.
Note: I am not an OpenBSD apologist... I am a Mac apologist.
Re:Maybe not... (Score:2, Funny)
Steve? :)
Now now, don't be so hard on yourself, we don't really think it's necessary to apologise
It's called selective quoting (Score:5, Insightful)
Fwiw, I wouldn't go into riot mode over four monosyllable words taken out of context be it from MS or OBSD. Of course, this is /. and that nice little blurb will most certainly cause a lot of banner hits as people will just have to comment. I can personally attest to 3 to get this post up.
Re:Double standards? (Score:3, Insightful)
Especially given that Microsoft is a company that charges for their product, where OpenBSD is free.
Re:Double standards? (Score:2)
Unless you're claiming that MS is significantly more secure than OpenBSD, your point fails completely.
And if you ARE claiming that, you may wish to read up on the subject.
Track record (Score:5, Insightful)
The day Microsoft has half the kind of security track record as OpenBSD, they'll be cut some slack.
OpenBSD had earned a little slack. MS still has a long way to go in system security/stability before they deserve the same treatment.
Re:Double standards? (Score:2)
Yes, but Microsoft lacks credibility when it comes to security.
If William G Gates personally presented me with a signed and notarized certificate saying "It's just a crash" I'd get still get a second opinion. After making sure I still had my wallet.
c.
Re:Double standards? (Score:5, Insightful)
*no comment* writes "If you are IPv6 on WinXP, it might be time to upgrade to Linux (just kidding). There is, however, a way to crash WinXP with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Bill Gates, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.
Okay, now that the wording has been changed to Microsoft, doesn't it suddenly look like a typical rabid-anti-Microsoft Slashdot article? You are so blinded by the belief that everything is anti-Microsoft that you cannot even see people being sarcastic about anything not Microsoft!
Patch for production systems? (Score:5, Interesting)
What's a sane admin to do?
Re:Patch for production systems? (Score:5, Informative)
Re:Patch for production systems? (Score:3, Informative)
IPV6 (Score:2)
Re:Patch for production systems? (Score:5, Interesting)
One of the reasons OpenBSD tends to be more secure is because it ships with *almost* everything off. However, there's a solid 10+ default user accounts, 3-4 default services (sshd, sendmail, inetd/portmap), and 75+ kernal/device options you should remove/recompile out upon installation (this is all assuming your only purpose is to create an x86-based router).
Yes, you'll need to muck about with
--Ryv
Re:Patch for production systems? (Score:4, Interesting)
If I setup the system for mail - which I don't do for a simple firewall - I also use Postfix. Only other alternative is qmail and DJB's stuff is just too much of a PITA/non-standard.
--Ryv
RTFA (Score:5, Informative)
Re:RTFA (Score:2)
and, you have to: 1. know my ipv6 address or hostname and 2. be able to get your ipv6 packets to me
Re:RTFA (Score:2)
Slashdotted (Score:5, Informative)
Systems affected:
tested on openbsd 3.4
not clear about netbsd
freebsd not vulnerable
Risk: Medium
Date: 4 February 2004
Legal Notice:
This Advisory is Copyright (c) 2004 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/obsdmtu.html
Anyth
Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
It is possible to remotely crash openbsd 3.4 if the host receives icmpv6
and there is a listening tcp port.
quoting de raadt: "it is just a crash."
remote crash which screws the kernel.
unknown whether this may be exploited for code execution.
Details:
The problem is triggered by setting small ipv6 mtu and then doing tcp
connect.
How to reproduce:
Patch linux kernel 2.4.24 net/ipv6/icmp.c
case ICMPV6_ECHO_REPLY:
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev);
then:
ping6 openbsd
ssh -6 openbsd
Workaround:
It is believed that openbsd current is not vulnerable.
netbsd current also seems to have related changes.
check:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netin
Vendor status:
open, net and free bsd were notified Sun, 1 Feb 2004 16:35:56 +0200
Georgi Guninski
http://www.guninski.com
Re:Slashdotted (Score:3, Funny)
Crash or Slash? (Score:5, Funny)
Hell, who knows, maybe this one is Google's fault too.
So this is why... (Score:4, Funny)
Mod Parent Humor-Impaired Down Please (Score:3, Funny)
Troll?!? It was humor, you insensitive clod.
What are the chances.... (Score:2, Funny)
It's only a crash....fun with python (Score:3, Funny)
Patch linux kernel 2.4.24 net/ipv6/icmp.c
case ICMPV6_ECHO_REPLY:
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev);
then:
ping6 openbsd
ssh -6 openbsd
#!/usr/bin/python
import popen2,string
def cmd_execute(cmd):
p = popen2.Popen3(cmd)
p.wait()
return string.strip(p.fromchild.read())
#kill everybody
for a in range(0,255):
for b in range(0,255):
for c in range(0,255):
for d in range(0,255):
execute('ping6 ' + a + '.' + b + '.' + c + '.' + d)
execute('ssh -6 ' + a + '.' + b + '.' + c + '.' + d)
Re:It's only a crash....fun with python (Score:2)
Re:It's only a crash....fun with python (Score:3, Informative)
about ipv6 (Score:5, Interesting)
I have to ask myself that with all of the decades of experience that has gone into ipv4 development and hacking and exploiting, are these fears justified? Have all the glitches in ipv4 been found? and if so isnt it trivial to avoid the same early mistakes in ipv6. Does this particular problem have a ipv4 analog? Is it even a stack theory issue? Is it just an implementation oversight?
Does anyone have any insight?
Re:about ipv6 (Score:2)
Re:about ipv6 (Score:3, Insightful)
ipv6 has security built into it, more addresses then particles in the universe, and eliminates the need f
Re:about ipv6 (Score:3, Informative)
It's hard to believe there is 'heavy' use of IPv6 when the dedicated IPv6 exchange in the UK peaks at 4Mbit/s of traffic and the LINX exchange in London has >30Gbit/s of IPv4 traffic
https://lg.ipv6.btexact.com/lgmrtg/hopper-day.html [btexact.com]
http://www.linx.net/tools/stats/index.thtml [linx.net]
Seems like "Just an incorrect size handling" (Score:3, Informative)
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/n
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/net
Mirror (Score:2)
already fixed!!! (Score:5, Informative)
from the openbsd CVS:
Revision 1.82 / (download) - annotate - [selected], Wed Feb 4 08:47:41 2004 UTC (38 hours, 50 minutes ago) by itojun
Branch: MAIN
CVS Tags: HEAD
Changes since 1.81: +100 -18 lines
Diff to previous 1.81 (colored)
strictly follow RFC2460 section 5, last paragraph (sender behavior when path MTU 1280). bug found by Georgi Guninski. ok dhartmei
qmail, too... (Score:2)
and the linux zealots cried out (Score:3, Funny)
What Theo really said.... (Score:5, Funny)
To quote Theo, 'it is just a wardrobe malfunction.'"
Just a crash.. (Score:5, Insightful)
I replaced all firewalls with OpenBSD filtering bridges. One rather persistent script kiddie (unfortuneately a legitimite $luser on the network) decided to send a few malformed packets here, there and everywhere. One of these crashed the filtering bridge at the edge of that particular subnet.
Immediately no packets enter or leave that subnet and I get about 40 phone calls "the internet is broken / my session crashed..." and go and deal with it.
Just a crash, saved several boxes. By contrast, accessible linux machines, privelege escalation - root exploit. All over.
Now if only the average windows box would *only* bluescreen in response to being cracked/ infection with the latest...rather than sending mal packets everywhere. Then infection would be self limiting and the world would be a better place.
Re:Remotely? (Score:5, Informative)
Re:Remotely? (Score:5, Informative)
Re:Remotely? (Score:3, Informative)
This is a problem with OpenBSD's IPv6 implimentation where if you send bad data, it looks like sending something larger then expected, then the kernel will crap out on you.
The rolling your own kernel OR build your wn network stack is whats required for the REMOTE host to send these bad packets to your system and crash it.
On an unrelated note, its a little disturbing to see this as i just rebooted a OBSD 3.3 system to upgrade to 3.4, but then again, I don't run I
Re:Remotely? (Score:2)
Re:Remotely? (Score:2)
Seriously, its getting fixed. You think his reaction would change the pace with which the bug gets fixed?
Re:Remotely? (Score:2)
Re:Remotely? (Score:2)
Enough good sense to RTFA, or at least properly fake as though you had.
LK
Re:patching a Linux kernel? (Score:5, Informative)
I like your way better though!
Sending Packets on Ethernet vs. Kernel Patch (Score:2)
So maybe you need to patch a Linux OS to get some help sending broken ICMPv6 packets, or maybe you just need to do creative writ
Re:Funny that... (Score:2)
(On the other hand, as everybody knows, IE is an integral part of windows and could never work on Solaris, HP-UX or Mac OS, just as it would be impossible to create a Windows version without IE, like WinXP-PE)
Re:Funny that... (Score:2)
Re:Oh wow (Score:5, Insightful)
Re:Oh wow (Score:2)
Re:Oh wow (Score:2)
There you go. Have fun.
Re:Oh wow (Score:4, Funny)
Re:Oh wow (Score:5, Funny)
Re:Oh wow (Score:2)
Re:Oh wow (Score:5, Insightful)
Re:OpenBSD crashes: how could it have been prevent (Score:2)
(Moderators: The BSD ports system has slightly less than nothing to do with TCP/IP ports being open, closed or missing on firewall or other machines. It's just a homonym (no, it has absolutely nothing to do with gays [geometry.net]).)
Re:OpenBSD crashes: how could it have been prevent (Score:5, Funny)
The good thing about ports is that, due to their alcohol and tannin content, you *CAN* leave them open much longer than more typical wines. I have a nice port (Fonseca) sitting open on my bar at home. I take a couple of nips from it every evening, and then replace the glass stopper on the carafe. It is a wonderful way to end the work-day. Go grab yourself a 10-year Tawny and you'll see what I mean.
You do need to be careful with how many ports you have open. I find after a couple of ports my work product increases. After a few more, it tends to decrease, exponentially going downhill with each subsequent port. You need to be especially careful with a root prompt and several open ports late at night.
For extra kicks, blind taste a Tawny against a Madeira.
Enjoy.
Re:OpenBSD crashes: how could it have been prevent (Score:2)
I remember the days in the late 80s and early 90s when it was (which is how I was able to afford that case of Fonseca '77)... I was a pig in shit back then.
Crash exploit uaually means root exploit possible. (Score:2)
While a crash exploit doesn't guarantee it, it usually means that a root exploit is possible.
Think about it: You got the machine to execute code it shouldn't have executed (or overwrite something 'way important it shouldn't have overwritten, or with a value it shouldn't have written.) This usually means you changed the program c
Re:Such misunderstanding on common hacking lingo (Score:2)
Exactly. All it takes is a fractal on the Google homepage or a link from
Cheers
Stor
Re:Such misunderstanding on common hacking lingo (Score:2)
I dunno, man, winnuke was a big problem on our campus in 98(?). It's so much easier to crawl through a block of IPs sending a few packets than to DOS the whole netblock. You can even do it from a modem in a few minutes.
Re:ADMINS: DELETE PARENT NOW! (Score:2)
Re:ADMINS: DELETE PARENT NOW! (Score:2)
Re:do FreeBSD & OpenBSD use the same kernel? (Score:4, Informative)
Re:do FreeBSD & OpenBSD use the same kernel? (Score:2)
Re:Maybe time to drop this "securitier than thou" (Score:5, Insightful)
Re:Maybe time to drop this "securitier than thou" (Score:5, Insightful)
"Hmm, well if we have gotten to the point where people have to roll their own net stack or patch a kernel to bring an issue to the for, then hasnt hte OpenBSD project succeeded in its goal?"
Re:Maybe time to drop this "securitier than thou" (Score:2)
Yeah, there's a dangerous problem there.
God, the intelligence on Slashdot has certainly dropped in the past few years.
Re:Maybe time to drop this "securitier than thou" (Score:2)
It should be amusing and rare to hear about these holes in ANY OS. OpenBSD should get more press than Windows for holes, after all openBSD has so few that you can safely assume the people using openBSD don't bother to pay attention, while those using Windows have to pay attention. Therefore we need extra effort to get the attention of OpenBSD users on the rare times it is needed.
Saddly it doesn't work that way. Windows users despite having lots (by comparition) of holes never patch, while openBSD seems
Re:Maybe time to drop this "securitier than thou" (Score:3, Insightful)
Re:Maybe time to drop this "securitier than thou" (Score:2)
Maybe you need to get out of this sports mentality and stop feeling inadequate when another "team" is doing better in one area than your favorite?
It's fine to have security as your focus. In fact, that's great. What turns me off is the attitude that OpenBSD is axiomatically more secure. The response from TdR shouldn't be "it's just a crash." It should be, "Man, we screwed up
Re:Is it just me.. (Score:2)
Re:Cowboyneil needs to check his head (Score:3, Informative)
Secondly, there's nothing wrong with his statement. In order to exploit the bug, you need to be running a patched Linux kernel to send the necessary packet.
Re:Just a crash? Crash == DoS, no? (Score:2, Interesting)
Now as for Microsoft, if MS patched something within... no, wait, it was patched before the bug came out... anyway, we'd cut them a bit more slack.