Remote Exploit Discovered for OpenBSD

Core Security ^ | 2007-03-13 | Core Security labs

[zeugma]

Core Security is reporting a remote buffer exploit for the OpenBSD operating system. This is also being reported on /.

Title: OpenBSD's IPv6 mbufs remote kernel buffer overflow

Class: Buffer Overflow

Remotely Exploitable: Yes

Locally Exploitable: No

 

Advisory URL:
http://www.coresecurity.com/?action=item&id=1703

Vendors contacted:

OpenBSD.org

 

Vulnerability Description
The OpenBSD kernel contains a memory corruption vulnerability in the code that handles IPv6 packets. Exploitation of this vulnerability can result in:

1) Remote execution of arbitrary code at the kernel level on the vulnerable systems (complete system compromise), or;

2) Remote denial of service attacks against vulnerable systems (system crash due to a kernel panic)

The issue can be triggered by sending a specially crafted IPv6 fragmented packet.

OpenBSD systems using default installations are vulnerable because the default pre-compiled kernel binary (GENERIC) has IPv6 enabled and OpenBSD's firewall does not filter inbound IPv6 packets in its default configuration.

However, in order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network -in which case the attacking system does not need to have a working IPv6 stack- or the ability to route or tunnel IPv6 packets to the target from a remote network.

Vulnerable Packages

OpenBSD 4.1 prior to Feb. 26th, 2006.
OpenBSD 4.0 Current
OpenBSD 4.0 Stable
OpenBSD 3.9
OpenBSD 3.8
OpenBSD 3.6
OpenBSD 3.1

All other releases that implement the IPv6 protocol stack may be vulnerable.

Solution/Vendor Information/Workaround
The OpenBSD team has released a "security fix" to correct the mbuf problem, it is available as a source code patch for
OpenBSD 4.0 and 3.9 here:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/010_m_dup1.patch

The patch can also be applied to previous versions of OpenBSD.

OpenBSD-current, 4.1, 4.0 and 3.9 have the fix incorporated in their source code tree and kernel binaries for those versions and the upcoming version 4.1 include the fix.

As a work around, users that do not need to process or route IPv6 traffic on their systems can block all inbound IPv6 packets using OpenBSD's firewall. This can be accomplished by adding the following line to /etc/pf.conf:

block in quick inet6 all

After adding the desired rules to pf.conf it is necessary to load them to the running PF using:

pfctl -f /etc/pf.conf

To enable PF use:
pfctl -e -f /etc/pf.conf

To check the status of PF and list all loaded rules use:
pfctl -s rules

Refer to the pf.conf(5) and pfctl(8) manpages for proper configuration and use of OpenBSD's firewall capabilities.

 

[zeugma]

Remotely explotable  bugs are bad news. To the best of my knowledge, this is only the 2nd such bug ever discovered in BSD. -Z

Proof of concept code was published with the advisory. If you're running OpenBSD and use IPV6 (which actually should be a fairly small group), you should check out the patch linked to in the advisory.

If you're not using IPV6, you may mitigate the impact by following the instructions published by the OpenBSD team to deal with the threat.

[zeugma]

Tech folk might be interested.

[antiRepublicrat]

Does it apply to other flavors like FreeBSD or OS X?

[zeugma]

Does it apply to other flavors like FreeBSD or OS X?

As of right now, it doesn't look like it. I'm sure other folks are boing to be banging on the IPv6 code on all distros in a similar manner though, so we'll find out. 

[1rudeboy]

Whew. I thought the headline read, OpenBDS. We would've been overrun with trolls.

[Domicile of Doom]

"To enable PF use:
pfctl -e -f /etc/pf.conf"

Ah ha! it's all very clear now - it was Colonel Mustard in the cloak room with a candle stick!!!

[zeugma]

Whew. I thought the headline read, OpenBDS. We would've been overrun with trolls.

Especially if FR allowed mp3 embeds. We'd be ODing on Enigma.

[ShadowAce]

[postaldave]

Exploits on BSD are boring, they always have a fix in the same announcement. i prefer windows where it will sit out there for several weeks before something gets done about it.


nothing to see here, move along people.

[zeugma]

Exploits on BSD are boring, they always have a fix in the same announcement.

LOL. Trouble is, the BSD exploit sample size is really too small to be able to make  such a generalization.

 
i prefer windows where it will sit out there for several weeks before something gets done about it.

I guess it does kinda bring some excitement into your day.