Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:165
HistoryMay 10, 2000 - 12:00 a.m.

[NHC20000504a.0: NetBSD Panics when sent unaligned IP options]

2000-05-1000:00:00
vulners.com
17
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

  •                              _,=wwmmm=,_                               *

  •                         .,=#"""       `"M>_                            *

  •                       ,gP"                "&_           M              *

  •        &            ,d"                     M,         ,R              *

  •        "k          ,P                        "k        {F              *

  •         W         ,#                          Vk       W               *

  •         '$       ,W                            M      ,F               *

  •          M       #                       ____  {$     M                *

  •          J$     ,[,,====,,,__   ___,<m#M""""""MM@_    W                *

  •           #     MP',,====[[""""""""_,aP""""Mww_  M   gF                *

  •           '&  ,#`,#0" -^    -"""""""F '`     'M&  $ ,W                 *

  •            $  M gF                             "N.M,g$                 *

  •             l $jR                               '&QE]PMw               *

  •           ,,M#&"$             _,,_               M]1@   $              *

  •           W 'PVLB            g"'["Mmg           ,W{MR  jT              *

  •           W  @V&"k         ,#,#"""#["&_        ,@/M{`  g               *

  •           W  $pVk%k      ,#"g*g@@"w"@+M=_    ,aBgP]W   W               *

  •           $   &_MwM>,__,gP g'gM|{| "MMw["""""" gP M@  {k               *

  •           @   M@ MX5""""<mP,# {|{|   %,""ww==g#'      M                *

  •           4k  ""   "MmwP` ,#  {k &    ]&==,_    ,pw  ,W                *

  •            &    ,my,,JgMMwM,  @  Vk ,g"   `"Mwwm"  $/F                 *

  •            "k   {`"%`@w    ?MMw=wg#@$P    ,P  <P   @"                  *

  •             "m==M  "w "Q    "0M#""M M     W  gW   ,R                   *

  •                 {k  Yk  &    ''0ww0 "    {`  W    #                    *

  •                  $   0  "k               #  ,R    @                    *

  •                  @   {   B   ,          {k  W    {*                    *

  •                  fk  {L  W   #     -,   #  g`   ,P                     *

  •                   &  #  JR__f'      "w,,B$gM_ _4*                      *

  •                   "w_MgwM#"M+,,,,,,,,# '""`'0m"                        *

  •                     "'       ''  `'''                                  *

  •                                                                        *

IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

  • _______ _____________ __ ___ ___ _____ _________ ____ __. *
  • \ \ \_ ____/ \ / \ / | \ / _ \ \ ___ \| |/ _| *
  • / | \ | __)\ \/\/ / / ~ \/ /\ \/ \ \/| < *
  • / | \| \\ / \ Y / | \ \___| | \ *
  • \|__ /___ / \/\ / \| /\|__ /\__ /____|__ \ *
  •     &#92;/        &#92;/       &#92;/           &#92;/         &#92;/        &#92;/        &#92;/  *

  •                  _________ .___________________.___.                   *

  •                  &#92;_   ___ &#92;|   &#92;__    ___/&#92;__  |   |                   *

  •                  /    &#92;  &#92;/|   | |    |    /   |   |                   *

  •                  &#92;     &#92;___|   | |    |    &#92;____   |                   *

  •                   &#92;______  /___| |____|    / ______|                   *

  •                          &#92;/                &#92;/                          *

  •                 -*^*- http://www.newhackcity.net -*^*-                 *

  •               -*^*- mailto:[email protected] -*^*-              *

IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

  •                                                                        *

  •    advisory_id:20000504a.0              release_date:2000-05-04        *

  •                                                                        *

IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

  • main_fracas: *
  • It is possible to cause a kernel panic on systems running NetBSD *
  • by sending a packet remotely with an unaligned IP Timestamp option. *
  •                                                                        *
  • affected_configurations: *
  • NetBSD 1.4.x on SPARC and Alpha platforms were tested and found to be *
  • vulnerable. Any platform where a page fault is caused by an unaligned *
  • memory access should also be vulnerable. *
  •                                                                        *
  • unaffected_configurations: *
  • NetBSD 1.4.x on arm32 and x86 platforms were tested and found to not *
  • panic. However, this is only because these (and a few other untested) *
  • platforms do not page fault on unaligned memory accesses. *
  •                                                                        *
  • notification: *
  • This was originally reported to the NetBSD Security Alerts mailing list on *
  • March 1, 2000, which was before the release of NetBSD 1.4.2. *
    IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
  •               --&lt;&lt;instructions 4 reproduction&gt;&gt;--                      *

  •                                                                        *
    1. Download, compile, and install libnet. It can be obtained from *
  • http://www.packetfactory.net *
  •                                                                        *
    1. Download and compile the ISIC suite of utilities. They are at *
  • http://expert.cc.purdue.edu/~frantzen *
  •                                                                        *
    1. After compiling the isic utilities, run the following from your shell *
  • of choice: *
  • 'icmpsic -s source -d dest -r 31337 -k 218504 -p 218505' *
  •                                                                        *
  • where source is the source IP address (spoofed addresses work just fine), *
  • and dest is the IP address of the NetBSD machine. *
  •                                                                        *
  • NOTE: For whatever reason, Linux mangles this packet before sending it. We *
  • have found that it does work correctly when sent from FreeBSD x86, NetBSD *
  • x86, and NetBSD arm32. *
  •                                                                        *

  •                                                                        *
  • Result: *
  • On the vulnerable platforms tested (listed above), a kernel panic results *
  • from an unaligned memory access. Because of the ability to spoof the *
  • packet, and the relative small packet size, an attacker could easily *
  • crash many NetBSD machines on a given subnet with minimal effort. *
    IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
  •                      w@rning: NO FLY ZONE                              *

  •                                                                        *
  • Internet Clock Watchers, Int'l. - for providing machines to test on *
  • packetfactory.net - for "cool ass" utilities *
  • Mike Frantzen - for writing isic *
  • THG/FLT - WAREZ 4EVER!#% *
  • statik - his awesome record is @ http://www.onlinehiphop.com *
  • colt 45 - "garbage in, garbage out" *
  • humboldt, ca - need i say more *
    IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
  • Is it the real, or is it m3m0r3x3d?! *

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5EUkzM+WP9Eauj+URAutUAKCHbk8bHLulWb9MoffVvpKvwKk4WgCeJqJF
PYHYzKAVd8x6tOE+pNcSM6Q=
=dEiA
-----END PGP SIGNATURE-----

JSON