Date: Sat, 6 May 2000 18:19:29 -0700 From: NHC Research <ipfreely@NEWHACKCITY.NET> Subject: [NHC20000504a.0: NetBSD Panics when sent unaligned IP options] To: BUGTRAQ@SECURITYFOCUS.COM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 *IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII* * _,=wwmmm=,_ * * .,=#""" `"M>_ * * ,gP" "&_ M * * & ,d" M, ,R * * "k ,P "k {F * * W ,# Vk W * * '$ ,W M ,F * * M # ____ {$ M * * J$ ,[,,====,,,__ ___,<m#M""""""MM@_ W * * # MP',,====[[""""""""_,aP""""Mww_ M gF * * '& ,#`,#0" -^ -"""""""F '` 'M& $ ,W * * $ M gF "N.M,g$ * * l $jR '&QE]PMw * * ,,M#&"$ _,,_ M]1@ $ * * W 'PVLB g"'["Mmg ,W{MR jT * * W @V&"k ,#,#"""#["&_ ,@/M{` g * * W $pVk%k ,#"g*g@@"w"@+M=_ ,aBgP]W W * * $ &_MwM>,__,gP g'gM|{| "MMw["""""" gP M@ {k * * @ M@ MX5""""<mP,# {|{| %,""ww==g#' M * * 4k "" "MmwP` ,# {k & ]&==,_ ,pw ,W * * & ,my,,JgMMwM, @ Vk ,g" `"Mwwm" $/F * * "k {`"%`@w ?MMw=wg#@$P ,P <P @" * * "m==M "w "Q "0M#""M M W gW ,R * * {k Yk & ''0ww0 " {` W # * * $ 0 "k # ,R @ * * @ { B , {k W {* * * fk {L W # -, # g` ,P * * & # JR__f' "w,,B$gM_ _4* * * "w_MgwM#"M+,,,,,,,,# '""`'0m" * * "' '' `''' * * * *IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII* * _______ _____________ __ ___ ___ _____ _________ ____ __. * * \ \ \_ _____/ \ / \ / | \ / _ \ \_ ___ \| |/ _| * * / | \ | __)_\ \/\/ / / ~ \/ /_\ \/ \ \/| < * * / | \| \\ / \ Y / | \ \___| | \ * * \____|__ /_______ / \__/\ / \___|_ /\____|__ /\______ /____|__ \ * * \/ \/ \/ \/ \/ \/ \/ * * _________ .___________________.___. * * \_ ___ \| \__ ___/\__ | | * * / \ \/| | | | / | | * * \ \___| | | | \____ | * * \______ /___| |____| / ______| * * \/ \/ * * -*^*- http://www.newhackcity.net -*^*- * * -*^*- mailto:ipfreely@newhackcity.net -*^*- * *IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII* * * * advisory_id:20000504a.0 release_date:2000-05-04 * * * *IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII* * main_fracas: * * It is possible to cause a kernel panic on systems running NetBSD * * by sending a packet remotely with an unaligned IP Timestamp option. * * * * affected_configurations: * * NetBSD 1.4.x on SPARC and Alpha platforms were tested and found to be * * vulnerable. Any platform where a page fault is caused by an unaligned * * memory access should also be vulnerable. * * * * unaffected_configurations: * * NetBSD 1.4.x on arm32 and x86 platforms were tested and found to not * * panic. However, this is only because these (and a few other untested) * * platforms do not page fault on unaligned memory accesses. * * * * notification: * * This was originally reported to the NetBSD Security Alerts mailing list on * * March 1, 2000, which was before the release of NetBSD 1.4.2. * *IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII* * --<<instructions 4 reproduction>>-- * * * * 1. Download, compile, and install libnet. It can be obtained from * * http://www.packetfactory.net * * * * 2. Download and compile the ISIC suite of utilities. They are at * * http://expert.cc.purdue.edu/~frantzen * * * * 3. After compiling the isic utilities, run the following from your shell * * of choice: * * 'icmpsic -s source -d dest -r 31337 -k 218504 -p 218505' * * * * where source is the source IP address (spoofed addresses work just fine), * * and dest is the IP address of the NetBSD machine. * * * * NOTE: For whatever reason, Linux mangles this packet before sending it. We * * have found that it does work correctly when sent from FreeBSD x86, NetBSD * * x86, and NetBSD arm32. * * * * * * Result: * * On the vulnerable platforms tested (listed above), a kernel panic results * * from an unaligned memory access. Because of the ability to spoof the * * packet, and the relative small packet size, an attacker could easily * * crash many NetBSD machines on a given subnet with minimal effort. * *IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII* * w@rning: NO FLY ZONE * * * * Internet Clock Watchers, Int'l. - for providing machines to test on * * packetfactory.net - for "cool ass" utilities * * Mike Frantzen - for writing isic * * THG/FLT - WAREZ 4EVER!#% * * statik - his awesome record is @ http://www.onlinehiphop.com * * colt 45 - "garbage in, garbage out" * * humboldt, ca - need i say more * *IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII* * Is it the real, or is it m3m0r3x3d?! * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5EUkzM+WP9Eauj+URAutUAKCHbk8bHLulWb9MoffVvpKvwKk4WgCeJqJF PYHYzKAVd8x6tOE+pNcSM6Q= =dEiA -----END PGP SIGNATURE-----