Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Security Operating Systems Bug BSD

Remotely Crash OpenBSD 407 407

*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.
This discussion has been archived. No new comments can be posted.

Remotely Crash OpenBSD

Comments Filter:
  • Re:Remotely? (Score:5, Informative)

    by Beolach (518512) <beolach@jun o . c om> on Thursday February 05, 2004 @06:53PM (#8195379) Homepage Journal
    No, in order to perform an attack on an OpenBSD box with this vulnerability you need to patch a Linux Kernel or roll your own network stack.
  • Re:Remotely? (Score:5, Informative)

    by athakur999 (44340) on Thursday February 05, 2004 @06:54PM (#8195407) Journal
    No, the ATTACKER has to patch their Linux kernel in order to attack you. So if I knew you were running OpenBSD and using IPv6 and knew your IP address, I could patch my kernel and then try to connect to your box, causing you to crash.

  • by Roofus (15591) on Thursday February 05, 2004 @06:57PM (#8195446) Homepage
    They are saying that to exploit would require a patch to the Linux kernel.

    I like your way better though!
  • RTFA (Score:5, Informative)

    by Anonymous Coward on Thursday February 05, 2004 @06:57PM (#8195454)
    You have to have a modified ipv6 stack in order to exploit this bug, not to fix it. I can remotely crash your ipv6 enabled openbsd if I modify my linux kernel. Capisce?
  • Slashdotted (Score:5, Informative)

    by Anonymous Coward on Thursday February 05, 2004 @06:58PM (#8195455)
    Remote openbsd crash with ip6, yet still openbsd much better than windows

    Systems affected:
    tested on openbsd 3.4
    not clear about netbsd
    freebsd not vulnerable

    Risk: Medium
    Date: 4 February 2004

    Legal Notice:
    This Advisory is Copyright (c) 2004 Georgi Guninski.
    You may distribute it unmodified.
    You may not modify it and distribute it or distribute parts
    of it without the author's written permission - this especially applies to
    so called "vulnerabilities databases" and securityfocus, microsoft, cert
    and mitre.
    If you want to link to this content use the URL:
    http://www.guninski.com/obsdmtu.html
    Anythi ng in this document may change without notice.

    Disclaimer:
    The information in this advisory is believed to be true though
    it may be false.
    The opinions expressed in this advisory and program are my own and
    not of any company. The usual standard disclaimer applies,
    especially the fact that Georgi Guninski is not liable for any damages
    caused by direct or indirect use of the information or functionality
    provided by this advisory or program. Georgi Guninski bears no
    responsibility for content or misuse of this advisory or program or
    any derivatives thereof.

    Description:
    It is possible to remotely crash openbsd 3.4 if the host receives icmpv6
    and there is a listening tcp port.
    quoting de raadt: "it is just a crash."
    remote crash which screws the kernel.
    unknown whether this may be exploited for code execution.

    Details:
    The problem is triggered by setting small ipv6 mtu and then doing tcp
    connect.
    How to reproduce:
    Patch linux kernel 2.4.24 net/ipv6/icmp.c :

    case ICMPV6_ECHO_REPLY: /* we coulnd't care less */
    icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev); //joro

    then:
    ping6 openbsd
    ssh -6 openbsd

    Workaround:
    It is believed that openbsd current is not vulnerable.
    netbsd current also seems to have related changes.
    check:
    http://www.openbsd.org/cgi-bin/cvsweb/src/sys/neti net6/ip6_output.c [openbsd.org]
    http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netine t/tcp_output.c?sortby=date [netbsd.org]

    Vendor status:
    open, net and free bsd were notified Sun, 1 Feb 2004 16:35:56 +0200

    Georgi Guninski
    http://www.guninski.com
  • Re:Remotely? (Score:3, Informative)

    by 0racle (667029) on Thursday February 05, 2004 @07:04PM (#8195509)
    You appear to be missing the whole problem.

    This is a problem with OpenBSD's IPv6 implimentation where if you send bad data, it looks like sending something larger then expected, then the kernel will crap out on you.

    The rolling your own kernel OR build your wn network stack is whats required for the REMOTE host to send these bad packets to your system and crash it.

    On an unrelated note, its a little disturbing to see this as i just rebooted a OBSD 3.3 system to upgrade to 3.4, but then again, I don't run IPv6.

    What I would say is most suspect is Theo's reaction "Its just a crash." You would hope someone who started a project to create the worlds most secure OS would actually care there might be a problem.
  • by Richard_at_work (517087) * <richardprice@gmai[ ]om ['l.c' in gap]> on Thursday February 05, 2004 @07:13PM (#8195593)
    Give it a little time. THey usually patch -current first to test it out, then backport the patches to -stable. Patching -current first saves time in the long run, in cases like this where its not really a MS level issue :) IF it was more serious, -stable would get the patch first, and then it would be ported into -current.
  • by cant_get_a_good_nick (172131) on Thursday February 05, 2004 @07:20PM (#8195674)
    No. They use very different kernels, though a lot of code is shared among them.
  • Re:Oh well... (Score:2, Informative)

    by cant_get_a_good_nick (172131) on Thursday February 05, 2004 @07:22PM (#8195701)
    The original NT TCP/IP stack was from BSD. They've sinced ripped it out and put in their own.
  • Re:Oh well... (Score:5, Informative)

    by phoenix_rizzen (256998) on Thursday February 05, 2004 @07:24PM (#8195715)
    Nope. Microsft bought the STREAMS implementation of TCP/IP from Spyder, Inc.

    The only TCP/IP-related bits MS took from BSD were a few utilities like ftp.exe and telnet.exe. The actual TCP/IP stack is not related to BSD in any way.
  • by Anonymous Coward on Thursday February 05, 2004 @07:25PM (#8195730)
    It's been patched in -current for 3 days now.
  • by loconet (415875) on Thursday February 05, 2004 @07:34PM (#8195807) Homepage
    I'm glad they fixed it..

    http://www.openbsd.org/cgi-bin/cvsweb/src/sys/ne ti net6/ip6_output.c.diff?r1=1.81&r2=1.82&f=h
    http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/neti ne t/tcp_output.c.diff?r1=1.106&r2=1.107&sortby=date& f=h

  • already fixed!!! (Score:5, Informative)

    by BigBadDude (683684) on Thursday February 05, 2004 @07:41PM (#8195855)
    now, how many times does this happens to your favorite OS vendor and their favorite web browser???

    from the openbsd CVS:
    Revision 1.82 / (download) - annotate - [selected], Wed Feb 4 08:47:41 2004 UTC (38 hours, 50 minutes ago) by itojun
    Branch: MAIN
    CVS Tags: HEAD
    Changes since 1.81: +100 -18 lines
    Diff to previous 1.81 (colored)
    strictly follow RFC2460 section 5, last paragraph (sender behavior when path MTU 1280). bug found by Georgi Guninski. ok dhartmei

  • by Crimson Midget (41436) on Thursday February 05, 2004 @08:21PM (#8196350) Homepage
    First of all it's CowboyNeal.
    Secondly, there's nothing wrong with his statement. In order to exploit the bug, you need to be running a patched Linux kernel to send the necessary packet.
  • by pHDNgell (410691) on Thursday February 05, 2004 @09:11PM (#8196886)
    How is this funny? Pinging IPv4 address with IPv6? If you're going to make a joke, at least get it right.

  • Re:Does this count? (Score:3, Informative)

    by Nimrangul (599578) on Thursday February 05, 2004 @09:56PM (#8197218) Journal
    I recall this vaguely, that was only able to crash sshd on an recent OpenBSD box, it was exploitable on other platforms (though older OpenBSDs would have been equally vulnerable).

    Not only that, but for those blaming OpenSSH for making bad code that created the exploit, it was one that had been present since ossh (the free ssh implementation the OpenBSD team used to make OpenSSH).

  • Re:Does this count? (Score:5, Informative)

    by kkenn (83190) on Thursday February 05, 2004 @10:19PM (#8197365)
    There have actually been a number of local and remote root holes in the default install of OpenBSD during that time frame..the only sense in which their claim is true is that they don't count root holes except in the head of the CVS tree. If a release from a year ago had the hole, but the current tree does not, they don't count it.

    For example, a couple of years ago there was a telnetd exploit discovered after OpenBSD had disabled telnetd by default in OpenBSD-current, but a recent prior release had shipped with telnetd enabled. That allowed them to rationalize not counting it as a remote hole. There are a number of other similar examples.
  • Re:Oh well... (Score:1, Informative)

    by Anonymous Coward on Friday February 06, 2004 @01:20AM (#8198475)
    Not only that, but the winsock API almost exactly mirrors Unix. Microsoft even uses the word BSD several [microsoft.com] times [microsoft.com] in the documentation.
  • Re:You are a moron. (Score:2, Informative)

    by hdw (564237) on Friday February 06, 2004 @05:06AM (#8199276)
    I beg to differ.

    Removing unused features/services/functions does add to your overall security and system stability.

    If you don't use IPv6 then taking it out of your kernel is a good move.

    But I agree to a point, just rampaging thru you kernel config removing fluff isn't security.
    Done in a sane way it's an addition to security and stability.
    // hdw
  • Re:about ipv6 (Score:3, Informative)

    by Tim the Gecko (745081) on Friday February 06, 2004 @05:20AM (#8199348)
    No major backbones carry IPv4 tunneled over IPv6. You might be thinking of MPLS [webopedia.com] which is present in a lot of backbone networks.

    It's hard to believe there is 'heavy' use of IPv6 when the dedicated IPv6 exchange in the UK peaks at 4Mbit/s of traffic and the LINX exchange in London has >30Gbit/s of IPv4 traffic

    https://lg.ipv6.btexact.com/lgmrtg/hopper-day.html [btexact.com]

    http://www.linx.net/tools/stats/index.thtml [linx.net]

  • Re:RTFA (Score:1, Informative)

    by Anonymous Coward on Sunday February 08, 2004 @03:00AM (#8216873)
    Exactly! There's just too many people that don't get this point exactly. It's NO where near as bad as it sounds and doesn't affect many people at all.

    As an addenum to your reply, even you (the OpenBSD user...) would need to have an IPv6 address on the net in order for them to DoS you (assuming #1 and 2 in your reply...).

    Oh and the TCP port that has to be listening, HAS to be a TCPv6 port AFAIK too.

You can't go home again, unless you set $HOME.

Working...