www.csua.org/u/i8o -> www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1703
OpenBSD no longer uses the term "vulnerability" when referring to bugs that lead to a remote denial of service attack, as opposed to bugs that lead to remote control of vulnerable systems to avoid oversimplifying ("pablumfication") the use of the term. Core requests details about the bug and if possible an analysis of why the OpenBSD team may or may not consider the bug exploitable for remote code execution. The "vendors contacted" section of the advisory is adjusted to reflect more accurately the nature of the communications with the OpenBSD team regarding this issue. It is not yet conclusive that the "scrub in inet6" directive will prevent exploitation. It effectively stops the bug from triggering according to Core's tests but OpenBSD's source code inspection does not provide a clear understanding of why that happens. The "scrub" workaround recommendation is removed from the advisory as precaution. Release Mode: FORCED RELEASE Vulnerability Description The OpenBSD kernel contains a memory corruption vulnerability in the code that handles IPv6 packets. Exploitation of this vulnerability can result in: 1) Remote execution of arbitrary code at the kernel level on the vulnerable systems (complete system compromise), or; OpenBSD systems using default installations are vulnerable because the default pre-compiled kernel binary (GENERIC) has IPv6 enabled and OpenBSD's firewall does not filter inbound IPv6 packets in its default configuration. However, in order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network -in which case the attacking system does not need to have a working IPv6 stack- or the ability to route or tunnel IPv6 packets to the target from a remote network. OpenBSD 40 Current OpenBSD 40 Stable OpenBSD 39 OpenBSD 38 OpenBSD 36 OpenBSD 31 All other releases that implement the IPv6 protocol stack may be vulnerable.
patch The patch can also be applied to previous versions of OpenBSD. OpenBSD-current, 41, 40 and 39 have the fix incorporated in their source code tree and kernel binaries for those versions and the upcoming version 41 include the fix. As a work around, users that do not need to process or route IPv6 traffic on their systems can block all inbound IPv6 packets using OpenBSD's firewall. conf and pfctl manpages for proper configuration and use of OpenBSD's firewall capabilities. Credits This vulnerability was found and researched by Alfredo Ortega from Core Security Technologies. The proof-of-concept code included in the advisory was developed by Alfredo Ortega with assistance from Mario Vilas and Gerardo Richarte. Technical Description - Exploit/Concept Code The vulnerability is due to improper handling of kernel memory buffers using mbuf structures. The vulnerability is triggered by OpenBSD-specific code at the mbuf layer and developed to accommodate the processing of IPv6 protocol packets. By sending fragmented ICMPv6 packets an attacker can trigger an overflow of mbuf kernel memory structures resulting either in remote execution of arbitrary code in kernel mode or a kernel panic and subsequent system crash (a remote denial of service). Exploitation is accomplished by either: 1) Gaining control of execution flow by overwriting a function pointer, or; The overflowed structure is an mbuf, the structure used to store network packets in kernel memory.
h): /* description of external storage mapped into mbuf, valid if M_EXT set */ struct m_ext { caddr_t ext_buf; Overwriting a mbuf with a crafted ICMP v6 packet (or any type of IPv6 packet), an attacker can control the flow of execution of the OpenBSD Kernel when the m_freem() function is called on the overflowed packet from any place on the network stack. Also, since the mbufs are stored on a linked list, another variant of the attack is to overwrite the ext_nextref and ext_prevref pointers to cause a 32 bit write on a controlled area of the kernel memory, like a user-mode heap overflow exploit. The following is a simple working proof-of-concept program in Python that demonstrates remote code execution on vulnerable systems. It is necessary to set the target's system Ethernet address in the program to use it. It overwrites the ext_free() function pointer on the mbuf and forces a m_freem() on the overflowed packet. html or download from Debian repositories) Currently, only systems supporting raw sockets and the PF_PACKET family can run the included proof-of-concept code. Tested against a system running "OpenBSD 40 CURRENT (GENERIC) Mon Oct 30" To use the code to test a custom machine you will need to: 1) Adjust the MACADDRESS variable 2) Find the right trampoline value for your system and replace it in the code. To find a proper trampoline value use the following command: "objdump -d /bsd | grep esi | grep jmp" 3) Adjust the ICMP checksum The exploit should stop on an int 3 and pressing "c" in ddb the kernel will continue normally. py--------------------- # # Description: # OpenBSD ICMPv6 fragment remote execution PoC # # Author: # Alfredo Ortega # Mario Vilas # # Copyright 2001-2007 CORE Security Technologies, CORE SDI Inc. py--------------------- About CoreLabs CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.
com/corelabs/ About Core Security Technologies Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide. The company's flagship product, CORE IMPACT, is the first automated penetration testing product for assessing specific information security threats to an organization. Penetration testing evaluates overall network security and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing, software security auditing and related training.
DISCLAIMER The contents of this advisory are copyright 2007 CORE Security Technologies and 2007 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
|
http://csua.com/feed/