nhc.kp.txt

2000-05-05T00:00:00
ID PACKETSTORM:17790
Type packetstorm
Reporter ipfreely
Modified 2000-05-05T00:00:00

Description

                                        
                                            `  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*  
* _,=wwmmm=,_ *  
* .,=#""" `"M>_ *  
* ,gP" "&_ M *  
* & ,d" M, ,R *  
* "k ,P "k {F *  
* W ,# Vk W *  
* '$ ,W M ,F *  
* M # ____ {$ M *  
* J$ ,[,,====,,,__ ___,<m#M""""""MM@_ W *  
* # MP',,====[[""""""""_,aP""""Mww_ M gF *  
* '& ,#`,#0" -^ -"""""""F '` 'M& $ ,W *  
* $ M gF "N.M,g$ *  
* l $jR '&QE]PMw *  
* ,,M#&"$ _,,_ M]1@ $ *  
* W 'PVLB g"'["Mmg ,W{MR jT *  
* W @V&"k ,#,#"""#["&_ ,@/M{` g *  
* W $pVk%k ,#"g*g@@"w"@+M=_ ,aBgP]W W *  
* $ &_MwM>,__,gP g'gM|{| "MMw["""""" gP M@ {k *  
* @ M@ MX5""""<mP,# {|{| %,""ww==g#' M *  
* 4k "" "MmwP` ,# {k & ]&==,_ ,pw ,W *  
* & ,my,,JgMMwM, @ Vk ,g" `"Mwwm" $/F *  
* "k {`"%`@w ?MMw=wg#@$P ,P <P @" *  
* "m==M "w "Q "0M#""M M W gW ,R *  
* {k Yk & ''0ww0 " {` W # *  
* $ 0 "k # ,R @ *  
* @ { B , {k W {* *  
* fk {L W # -, # g` ,P *  
* & # JR__f' "w,,B$gM_ _4* *  
* "w_MgwM#"M+,,,,,,,,# '""`'0m" *  
* "' '' `''' *  
* *  
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*  
* _______ _____________ __ ___ ___ _____ _________ ____ __. *  
* \ \ \_ _____/ \ / \ / | \ / _ \ \_ ___ \| |/ _| *  
* / | \ | __)_\ \/\/ / / ~ \/ /_\ \/ \ \/| < *  
* / | \| \\ / \ Y / | \ \___| | \ *  
* \____|__ /_______ / \__/\ / \___|_ /\____|__ /\______ /____|__ \ *  
* \/ \/ \/ \/ \/ \/ \/ *  
* _________ .___________________.___. *  
* \_ ___ \| \__ ___/\__ | | *  
* / \ \/| | | | / | | *  
* \ \___| | | | \____ | *  
* \______ /___| |____| / ______| *  
* \/ \/ *  
* -*^*- http://www.newhackcity.net -*^*- *  
* -*^*- mailto:ipfreely@newhackcity.net -*^*- *  
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*  
* *  
* advisory_id:20000504a.0 release_date:2000-05-04 *  
* *  
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*  
* main_fracas: *  
* It is possible to cause a kernel panic on systems running NetBSD *  
* by sending a packet remotely with an unaligned IP Timestamp option. *  
* *  
* affected_configurations: *  
* NetBSD 1.4.x on SPARC and Alpha platforms were tested and found to be *  
* vulnerable. Any platform where a page fault is caused by an unaligned *  
* memory access should also be vulnerable. *  
* *  
* unaffected_configurations: *  
* NetBSD 1.4.x on arm32 and x86 platforms were tested and found to not *  
* panic. However, this is only because these (and a few other untested) *  
* platforms do not page fault on unaligned memory accesses. *  
* *  
* notification: *  
* This was originally reported to the NetBSD Security Alerts mailing list on *  
* March 1, 2000, which was before the release of NetBSD 1.4.2. *  
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*  
* --<<instructions 4 reproduction>>-- *  
* *  
* 1. Download, compile, and install libnet. It can be obtained from *  
* http://www.packetfactory.net *  
* *  
* 2. Download and compile the ISIC suite of utilities. They are at *  
* http://expert.cc.purdue.edu/~frantzen *  
* *  
* 3. After compiling the isic utilities, run the following from your shell *  
* of choice: *  
* 'icmpsic -s source -d dest -r 31337 -k 218504 -p 218505' *  
* *  
* where source is the source IP address (spoofed addresses work just fine), *  
* and dest is the IP address of the NetBSD machine. *  
* *  
* NOTE: For whatever reason, Linux mangles this packet before sending it. We *  
* have found that it does work correctly when sent from FreeBSD x86, NetBSD *  
* x86, and NetBSD arm32. *  
* *  
* *  
* Result: *  
* On the vulnerable platforms tested (listed above), a kernel panic results *  
* from an unaligned memory access. Because of the ability to spoof the *  
* packet, and the relative small packet size, an attacker could easily *  
* crash many NetBSD machines on a given subnet with minimal effort. *  
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*  
* w@rning: NO FLY ZONE *  
* *  
* Internet Clock Watchers, Int'l. - for providing machines to test on *  
* packetfactory.net - for "cool ass" utilities *  
* Mike Frantzen - for writing isic *  
* THG/FLT - WAREZ 4EVER!#% *  
* statik - his awesome record is @ http://www.onlinehiphop.com *  
* colt 45 - "garbage in, garbage out" *  
* humboldt, ca - need i say more *  
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*  
* Is it the real, or is it m3m0r3x3d?! *  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.0.1 (GNU/Linux)  
Comment: For info see http://www.gnupg.org  
  
iD8DBQE5EUkzM+WP9Eauj+URAutUAKCHbk8bHLulWb9MoffVvpKvwKk4WgCeJqJF  
PYHYzKAVd8x6tOE+pNcSM6Q=  
=dEiA  
-----END PGP SIGNATURE-----  
  
  
  
`