[NHC20000504a.0: NetBSD Panics when sent unaligned IP options]

2000-05-10T00:00:00
ID SECURITYVULNS:DOC:165
Type securityvulns
Reporter Securityvulns
Modified 2000-05-10T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII ,=wwmmm=, .,=#""" &quot;M&gt;_ * * ,gP&quot; &quot;&amp;_ M * * &amp; ,d&quot; M, ,R * * &quot;k ,P &quot;k {F * * W ,# Vk W * * &#39;$ ,W M ,F * * M # ____ {$ M * * J$ ,[,,====,,,__ ___,&lt;m#M&quot;&quot;&quot;&quot;&quot;&quot;MM@_ W * * # MP&#39;,,====[[&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;_,aP&quot;&quot;&quot;&quot;Mww_ M gF * * &#39;&amp; ,#,#0" -^ -"""""""F '&#39;M&amp; $ ,W * * $ M gF &quot;N.M,g$ * * l $jR &#39;&amp;QE]PMw * * ,,M#&amp;&quot;$ _,,_ M]1@ $ * * W &#39;PVLB g&quot;&#39;[&quot;Mmg ,W{MR jT * * W @V&amp;&quot;k ,#,#&quot;&quot;&quot;#[&quot;&amp;_ ,@/M{ g W $pVk%k ,#"gg@@"w"@+M= ,aBgP]W W $ &_MwM>,,gP g'gM|{| "MMw["""""" gP M@ {k @ M@ MX5""""<mP,# {|{| %,""ww==g#' M 4k "" "MmwP,# {k &amp; ]&amp;==,_ ,pw ,W * * &amp; ,my,,JgMMwM, @ Vk ,g&quot;"Mwwm" $/F "k {&quot;&#37;@w ?MMw=wg#@$P ,P <P @" "m==M "w "Q "0M#""M M W gW ,R {k Yk & ''0ww0 " {W # * * $ 0 &quot;k # ,R @ * * @ { B , {k W {* * * fk {L W # -, # g ,P & # JRf' "w,,B$gM _4 "w_MgwM#"M+,,,,,,,,# '""&#39;0m&quot; * * &quot;&#39; &#39;&#39;''' IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII _ ___ _ _ _ . \ \ \ / \ / \ / | \ / _ \ \ \| |/ | / | \ | )\ \/\/ / / ~ \/ /\ \/ \ \/| < / | \| \\ / \ Y / | \ \| | \ \_| /_ / \/\ / \| /\| /\__ /| \ \/ \/ \/ \/ \/ \/ \/ _ .___._. \ \| \_ /\ | | / \ \/| | | | / | | \ \| | | | \ | \__ /| |_| / _| \/ \/ -^- http://www.newhackcity.net -^- -^- mailto:ipfreely@newhackcity.net -^- IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII advisory_id:20000504a.0 release_date:2000-05-04 IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII main_fracas: It is possible to cause a kernel panic on systems running NetBSD by sending a packet remotely with an unaligned IP Timestamp option. affected_configurations: NetBSD 1.4.x on SPARC and Alpha platforms were tested and found to be vulnerable. Any platform where a page fault is caused by an unaligned memory access should also be vulnerable. unaffected_configurations: NetBSD 1.4.x on arm32 and x86 platforms were tested and found to not panic. However, this is only because these (and a few other untested) platforms do not page fault on unaligned memory accesses. notification: This was originally reported to the NetBSD Security Alerts mailing list on March 1, 2000, which was before the release of NetBSD 1.4.2. IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII --<<instructions 4 reproduction>>-- 1. Download, compile, and install libnet. It can be obtained from http://www.packetfactory.net 2. Download and compile the ISIC suite of utilities. They are at http://expert.cc.purdue.edu/~frantzen 3. After compiling the isic utilities, run the following from your shell of choice: 'icmpsic -s source -d dest -r 31337 -k 218504 -p 218505' where source is the source IP address (spoofed addresses work just fine), and dest is the IP address of the NetBSD machine. NOTE: For whatever reason, Linux mangles this packet before sending it. We have found that it does work correctly when sent from FreeBSD x86, NetBSD x86, and NetBSD arm32. Result: On the vulnerable platforms tested (listed above), a kernel panic results from an unaligned memory access. Because of the ability to spoof the packet, and the relative small packet size, an attacker could easily crash many NetBSD machines on a given subnet with minimal effort. IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII w@rning: NO FLY ZONE Internet Clock Watchers, Int'l. - for providing machines to test on packetfactory.net - for "cool ass" utilities Mike Frantzen - for writing isic THG/FLT - WAREZ 4EVER!#% statik - his awesome record is @ http://www.onlinehiphop.com colt 45 - "garbage in, garbage out" humboldt, ca - need i say more IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII * Is it the real, or is it m3m0r3x3d?! *

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org

iD8DBQE5EUkzM+WP9Eauj+URAutUAKCHbk8bHLulWb9MoffVvpKvwKk4WgCeJqJF PYHYzKAVd8x6tOE+pNcSM6Q= =dEiA -----END PGP SIGNATURE-----