[LWN Logo]

Date:         Sat, 6 May 2000 18:19:29 -0700
From: NHC Research <ipfreely@NEWHACKCITY.NET>
Subject:      [NHC20000504a.0: NetBSD Panics when sent unaligned IP options]
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*
*                                  _,=wwmmm=,_                               *
*                             .,=#"""       `"M>_                            *
*                           ,gP"                "&_           M              *
*            &            ,d"                     M,         ,R              *
*            "k          ,P                        "k        {F              *
*             W         ,#                          Vk       W               *
*             '$       ,W                            M      ,F               *
*              M       #                       ____  {$     M                *
*              J$     ,[,,====,,,__   ___,<m#M""""""MM@_    W                *
*               #     MP',,====[[""""""""_,aP""""Mww_  M   gF                *
*               '&  ,#`,#0" -^    -"""""""F '`     'M&  $ ,W                 *
*                $  M gF                             "N.M,g$                 *
*                 l $jR                               '&QE]PMw               *
*               ,,M#&"$             _,,_               M]1@   $              *
*               W 'PVLB            g"'["Mmg           ,W{MR  jT              *
*               W  @V&"k         ,#,#"""#["&_        ,@/M{`  g               *
*               W  $pVk%k      ,#"g*g@@"w"@+M=_    ,aBgP]W   W               *
*               $   &_MwM>,__,gP g'gM|{| "MMw["""""" gP M@  {k               *
*               @   M@ MX5""""<mP,# {|{|   %,""ww==g#'      M                *
*               4k  ""   "MmwP` ,#  {k &    ]&==,_    ,pw  ,W                *
*                &    ,my,,JgMMwM,  @  Vk ,g"   `"Mwwm"  $/F                 *
*                "k   {`"%`@w    ?MMw=wg#@$P    ,P  <P   @"                  *
*                 "m==M  "w "Q    "0M#""M M     W  gW   ,R                   *
*                     {k  Yk  &    ''0ww0 "    {`  W    #                    *
*                      $   0  "k               #  ,R    @                    *
*                      @   {   B   ,          {k  W    {*                    *
*                      fk  {L  W   #     -,   #  g`   ,P                     *
*                       &  #  JR__f'      "w,,B$gM_ _4*                      *
*                       "w_MgwM#"M+,,,,,,,,# '""`'0m"                        *
*                         "'       ''  `'''                                  *
*                                                                            *
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*
* _______  _____________      __    ___ ___    _____  _________  ____  __.   *
*  \      \ \_   _____/  \    /  \  /   |   \  /  _  \ \_   ___ \|    |/ _|  *
*  /   |   \ |    __)_\   \/\/   / /    ~    \/  /_\  \/    \  \/|      <    *
* /    |    \|        \\        /  \    Y    /    |    \     \___|    |  \   *
* \____|__  /_______  / \__/\  /    \___|_  /\____|__  /\______  /____|__ \  *
*         \/        \/       \/           \/         \/        \/        \/  *
*                      _________ .___________________.___.                   *
*                      \_   ___ \|   \__    ___/\__  |   |                   *
*                      /    \  \/|   | |    |    /   |   |                   *
*                      \     \___|   | |    |    \____   |                   *
*                       \______  /___| |____|    / ______|                   *
*                              \/                \/                          *
*                     -*^*- http://www.newhackcity.net -*^*-                 *
*                   -*^*- mailto:ipfreely@newhackcity.net -*^*-              *
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*
*                                                                            *
*        advisory_id:20000504a.0              release_date:2000-05-04        *
*                                                                            *
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*
* main_fracas:                                                               *
* It is possible to cause a kernel panic on systems running NetBSD           *
* by sending a packet remotely with an unaligned IP Timestamp option.        *
*                                                                            *
* affected_configurations:                                                   *
* NetBSD 1.4.x on SPARC and Alpha platforms were tested and found to be      *
* vulnerable. Any platform where a page fault is caused by an unaligned      *
* memory access should also be vulnerable.                                   *
*                                                                            *
* unaffected_configurations:                                                 *
* NetBSD 1.4.x on arm32 and x86 platforms were tested and found to not       *
* panic. However, this is only because these (and a few other untested)      *
* platforms do not page fault on unaligned memory accesses.                  *
*                                                                            *
* notification:                                                              *
* This was originally reported to the NetBSD Security Alerts mailing list on *
* March 1, 2000, which was before the release of NetBSD 1.4.2.               *
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*
*                   --<<instructions 4 reproduction>>--                      *
*                                                                            *
* 1. Download, compile, and install libnet. It can be obtained from          *
* http://www.packetfactory.net                                               *
*                                                                            *
* 2. Download and compile the ISIC suite of utilities. They are at           *
* http://expert.cc.purdue.edu/~frantzen                                      *
*                                                                            *
* 3. After compiling the isic utilities, run the following from your shell   *
* of choice:                                                                 *
* 'icmpsic -s source -d dest -r 31337 -k 218504 -p 218505'                   *
*                                                                            *
* where source is the source IP address (spoofed addresses work just fine),  *
* and dest is the IP address of the NetBSD machine.                          *
*                                                                            *
* NOTE: For whatever reason, Linux mangles this packet before sending it. We *
* have found that it does work correctly when sent from FreeBSD x86, NetBSD  *
* x86, and NetBSD arm32.                                                     *
*                                                                            *
*                                                                            *
* Result:                                                                    *
* On the vulnerable platforms tested (listed above), a kernel panic results  *
* from an unaligned memory access. Because of the ability to spoof the       *
* packet, and the relative small packet size, an attacker could easily       *
* crash many NetBSD machines on a given subnet with minimal effort.          *
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*
*                          w@rning: NO FLY ZONE                              *
*                                                                            *
* Internet Clock Watchers, Int'l. - for providing machines to test on        *
* packetfactory.net - for "cool ass" utilities                               *
* Mike Frantzen - for writing isic                                           *
* THG/FLT - WAREZ 4EVER!#%                                                   *
* statik - his awesome record is @ http://www.onlinehiphop.com               *
* colt 45 - "garbage in, garbage out"                                        *
* humboldt, ca - need i say more                                             *
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*
* Is it the real, or is it m3m0r3x3d?!                                       *

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5EUkzM+WP9Eauj+URAutUAKCHbk8bHLulWb9MoffVvpKvwKk4WgCeJqJF
PYHYzKAVd8x6tOE+pNcSM6Q=
=dEiA
-----END PGP SIGNATURE-----