[NHC20000504a.0: NetBSD Panics when sent unaligned IP options]

2000-05-10T00:00:00
ID SECURITYVULNS:DOC:165
Type securityvulns
Reporter Securityvulns
Modified 2000-05-10T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII * ,=wwmmm=, * .,=#""" &quot;M&gt;_ * * ,gP&quot; &quot;&amp;_ M * * &amp; ,d&quot; M, ,R * * &quot;k ,P &quot;k {F * * W ,# Vk W * * &#39;$ ,W M ,F * * M # ____ {$ M * * J$ ,[,,====,,,__ ___,&lt;m#M&quot;&quot;&quot;&quot;&quot;&quot;MM@_ W * * # MP&#39;,,====[[&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;_,aP&quot;&quot;&quot;&quot;Mww_ M gF * * &#39;&amp; ,#,#0" -^ -"""""""F '&#39;M&amp; $ ,W * * $ M gF &quot;N.M,g$ * * l $jR &#39;&amp;QE]PMw * * ,,M#&amp;&quot;$ _,,_ M]1@ $ * * W &#39;PVLB g&quot;&#39;[&quot;Mmg ,W{MR jT * * W @V&amp;&quot;k ,#,#&quot;&quot;&quot;#[&quot;&amp;_ ,@/M{ g * W $pVk%k ,#"gg@@"w"@+M=_ ,aBgP]W W * $ &MwM>,,gP g'gM|{| "MMw["""""" gP M@ {k * @ M@ MX5""""<mP,# {|{| %,""ww==g#' M * 4k "" "MmwP,# {k &amp; ]&amp;==,_ ,pw ,W * * &amp; ,my,,JgMMwM, @ Vk ,g&quot;"Mwwm" $/F * "k {&quot;&#37;@w ?MMw=wg#@$P ,P <P @" * "m==M "w "Q "0M#""M M W gW ,R * {k Yk & ''0ww0 " {W # * * $ 0 &quot;k # ,R @ * * @ { B , {k W {* * * fk {L W # -, # g ,P * & # JR__f' "w,,B$gM_ _4 * "w_MgwM#"M+,,,,,,,,# '""&#39;0m&quot; * * &quot;&#39; &#39;&#39;''' * * IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII * _ ___ _ _ _ . * * \ \ \ / \ / \ / | \ / _ \ \ \| |/ | * / | \ | )\ \/\/ / / ~ \/ /\ \/ \ \/| < * / | \| \\ / \ Y / | \ \| | \ * * \_| /_ / \/\ / \| /\| /\__ /| \ * \/ \/ \/ \/ \/ \/ \/ * ___ .___._. * \ \| \_ /\__ | | * / \ \/| | | | / | | * \ \| | | | \ | * \__ /_| |_| / ___| * \/ \/ * -^- http://www.newhackcity.net -^- * -^- mailto:ipfreely@newhackcity.net -^- * IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII * * advisory_id:20000504a.0 release_date:2000-05-04 * * IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII * main_fracas: * It is possible to cause a kernel panic on systems running NetBSD * by sending a packet remotely with an unaligned IP Timestamp option. * * affected_configurations: * NetBSD 1.4.x on SPARC and Alpha platforms were tested and found to be * vulnerable. Any platform where a page fault is caused by an unaligned * memory access should also be vulnerable. * * unaffected_configurations: * NetBSD 1.4.x on arm32 and x86 platforms were tested and found to not * panic. However, this is only because these (and a few other untested) * platforms do not page fault on unaligned memory accesses. * * notification: * This was originally reported to the NetBSD Security Alerts mailing list on * March 1, 2000, which was before the release of NetBSD 1.4.2. * IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII * --<<instructions 4 reproduction>>-- * * 1. Download, compile, and install libnet. It can be obtained from * http://www.packetfactory.net * * 2. Download and compile the ISIC suite of utilities. They are at * http://expert.cc.purdue.edu/~frantzen * * 3. After compiling the isic utilities, run the following from your shell * of choice: * 'icmpsic -s source -d dest -r 31337 -k 218504 -p 218505' * * where source is the source IP address (spoofed addresses work just fine), * and dest is the IP address of the NetBSD machine. * * NOTE: For whatever reason, Linux mangles this packet before sending it. We * have found that it does work correctly when sent from FreeBSD x86, NetBSD * x86, and NetBSD arm32. * * * Result: * On the vulnerable platforms tested (listed above), a kernel panic results * from an unaligned memory access. Because of the ability to spoof the * packet, and the relative small packet size, an attacker could easily * crash many NetBSD machines on a given subnet with minimal effort. * IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII * w@rning: NO FLY ZONE * * Internet Clock Watchers, Int'l. - for providing machines to test on * packetfactory.net - for "cool ass" utilities * Mike Frantzen - for writing isic * THG/FLT - WAREZ 4EVER!#% * statik - his awesome record is @ http://www.onlinehiphop.com * colt 45 - "garbage in, garbage out" * humboldt, ca - need i say more * IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII * Is it the real, or is it m3m0r3x3d?! *

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org

iD8DBQE5EUkzM+WP9Eauj+URAutUAKCHbk8bHLulWb9MoffVvpKvwKk4WgCeJqJF PYHYzKAVd8x6tOE+pNcSM6Q= =dEiA -----END PGP SIGNATURE-----