TCP stack attack?

coderman coderman at gmail.com
Mon Oct 25 03:38:11 UTC 2010


On Sun, Oct 24, 2010 at 8:28 PM, coderman <coderman at gmail.com> wrote:
> ...
> 1.  remote ring0 do happen, c.f. CORE-2007-0219: OpenBSD's IPv6 mbufs
> remote kernel buffer overflow.

Forgot to link to the announce in question; it is worthy of a read if
only to emphasize why any claim of immunity from a broad class of
threats with blanket assurance is a strong claim best made after
thorough and extensive effort to prove it to yourself via technical
applied testing and measurement.

http://www.coresecurity.com/content/open-bsd-advisorie
"OpenBSD's IPv6 mbufs remote kernel buffer overflow"
2007-02-20: First notification sent by Core.
2007-02-20: Acknowledgement of first notification received from the
OpenBSD team.
...
2007-02-26: OpenBSD team communicates that the issue is specific to
OpenBSD. OpenBSD no longer uses the term "vulnerability" when
referring to bugs that lead to a remote denial of service attack, as
opposed to bugs that lead to remote control of vulnerable systems...
2007-03-05: Core develops proof of concept code that demonstrates
remote code execution in the kernel context by exploiting the mbuf
overflow.
2007-03-05: OpenBSD team notified of PoC availability.
2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source
tree branches and releases a "reliability fix" notice on the project's
website.
...
The OpenBSD kernel contains a memory corruption vulnerability in the
code that handles IPv6 packets. Exploitation of this vulnerability can
result in:

1) Remote execution of arbitrary code at the kernel level on the
vulnerable systems (complete system compromise), or;

2) Remote denial of service attacks against vulnerable systems (system
crash due to a kernel panic)

The issue can be triggered by sending a specially crafted IPv6
fragmented packet.

OpenBSD systems using default installations are vulnerable because the
default pre-compiled kernel binary (GENERIC) has IPv6 enabled and
OpenBSD's firewall does not filter inbound IPv6 packets in its default
configuration.

However, in order to exploit a vulnerable system an attacker needs to
be able to inject fragmented IPv6 packets on the target system's local
network.
...
"""
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list