Multiple Vendor *BSD Unaligned IP Option Denial of Service Vulnerability
BID:1173
Info
Multiple Vendor *BSD Unaligned IP Option Denial of Service Vulnerability
| Bugtraq ID: | 1173 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 04 2000 12:00AM |
| Updated: | May 04 2000 12:00AM |
| Credit: | This vulnerability was posted to Bugtraq on May 4, 2000 in a New Hack City advisory from NHC Research <[email protected]> |
| Vulnerable: |
NetBSD NetBSD 1.4.2 SPARC NetBSD NetBSD 1.4.2 Alpha NetBSD NetBSD 1.4.1 SPARC NetBSD NetBSD 1.4.1 Alpha NetBSD NetBSD 1.4 SPARC NetBSD NetBSD 1.4 Alpha FreeBSD FreeBSD 5.0 FreeBSD FreeBSD 4.0 FreeBSD FreeBSD 3.4 |
| Not Vulnerable: |
NetBSD NetBSD 1.4.2 x86 NetBSD NetBSD 1.4.2 arm32 NetBSD NetBSD 1.4.1 x86 NetBSD NetBSD 1.4.1 arm32 NetBSD NetBSD 1.4 x86 NetBSD NetBSD 1.4 arm32 |
Discussion
Exploit / POC
Multiple Vendor *BSD Unaligned IP Option Denial of Service Vulnerability
1. Download, compile, and install libnet. It can be obtained from
http://www.packetfactory.net
2. Download and compile the ISIC suite of utilities. They are at
http://expert.cc.purdue.edu/~frantzen
3. After compiling the isic utilities, run the following from your shell of choice:
'icmpsic -s source -d dest -r 31337 -k 218504 -p 218505'
where source is the source IP address (spoofed addresses work just fine), and dest is the IP address of the NetBSD machine.
NOTE: For whatever reason, Linux mangles this packet before sending it. We have found that it does work correctly when sent from FreeBSD x86, NetBSD x86, and NetBSD arm32.
An exploit for FreeBSD is linked to below:
1. Download, compile, and install libnet. It can be obtained from
http://www.packetfactory.net
2. Download and compile the ISIC suite of utilities. They are at
http://expert.cc.purdue.edu/~frantzen
3. After compiling the isic utilities, run the following from your shell of choice:
'icmpsic -s source -d dest -r 31337 -k 218504 -p 218505'
where source is the source IP address (spoofed addresses work just fine), and dest is the IP address of the NetBSD machine.
NOTE: For whatever reason, Linux mangles this packet before sending it. We have found that it does work correctly when sent from FreeBSD x86, NetBSD x86, and NetBSD arm32.
An exploit for FreeBSD is linked to below:
Solution / Fix
Multiple Vendor *BSD Unaligned IP Option Denial of Service Vulnerability
Solution:
FreeBSD: Upgrade your FreeBSD system to 3.4-STABLE, 4.0-STABLE or 5.0-CURRENT after the respective correction dates or apply the patch.
NetBSD: Apply the patch.
NetBSD NetBSD 1.4.1 Alpha
NetBSD NetBSD 1.4.1 SPARC
NetBSD NetBSD 1.4.2 Alpha
NetBSD NetBSD 1.4.2 SPARC
FreeBSD FreeBSD 3.4
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 5.0
Solution:
FreeBSD: Upgrade your FreeBSD system to 3.4-STABLE, 4.0-STABLE or 5.0-CURRENT after the respective correction dates or apply the patch.
NetBSD: Apply the patch.
NetBSD NetBSD 1.4.1 Alpha
-
NetBSD 200000507-ipopt141
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000507-ipopt14 1
NetBSD NetBSD 1.4.1 SPARC
-
NetBSD 200000507-ipopt141
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000507-ipopt14 1
NetBSD NetBSD 1.4.2 Alpha
-
NetBSD 200000507-ipopt142
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000507-ipopt14 2
NetBSD NetBSD 1.4.2 SPARC
-
NetBSD 200000507-ipopt142
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000507-ipopt14 2
FreeBSD FreeBSD 3.4
-
FreeBSD ip_options.diff
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.dif f
FreeBSD FreeBSD 4.0
-
FreeBSD ip_options.diff
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.dif f
FreeBSD FreeBSD 5.0
-
FreeBSD ip_options.diff
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.dif f
References
Multiple Vendor *BSD Unaligned IP Option Denial of Service Vulnerability
References:
References: