LITTLEBLACKDOG.COM

Date Published: 2007-03-13

Last Update: 2007-03-13

Advisory ID: CORE-2007-0219

Bugtraq ID: None currently assigned

CVE Name: CVE-2007-1365

Title: OpenBSD's IPv6 mbufs remote kernel buffer overflow

Class: Buffer Overflow

Remotely Exploitable: Yes

Locally Exploitable: No

Advisory URL:
http://www.coresecurity.com/?action=item&id=1703

Vendors contacted:

OpenBSD.org
. 2007-02-20: First notification sent by Core.
. 2007-02-20: Acknowledgement of first notification received from the
OpenBSD team.
. 2007-02-21: Core sends draft advisory and proof of concept code that
demonstrates remote kernel panic.
. 2007-02-26: OpenBSD team develops a fix and commits it to the HEAD
branch of source tree.
. 2007-02-26: OpenBSD team communicates that the issue is specific to
OpenBSD. OpenBSD no longer uses the term "vulnerability" when
referring to bugs that lead to a remote denial of service attack,
as opposed to bugs that lead to remote control of vulnerable systems
to avoid oversimplifying ("pablumfication") the use of the term.
. 2007-02-26: Core email sent to OpenBSD team explaining that Core
considers a remote denial of service a security issue and therefore
does use the term "vulnerability" to refer to it and that although
remote code execution could not be proved in this specific case,
the possibility should not be discarded. Core requests details about
the bug and if possible an analysis of why the OpenBSD team may or
may not consider the bug exploitable for remote code execution.
. 2007-02-28: OpenBSD team indicates that the bug results in corruption
of mbuf chains and that only IPv6 code uses that mbuf code, there is
no user data in the mbuf header fields that become corrupted and it
would be surprising to be able to run arbitrary code using a bug so
deep in the mbuf code. The bug simply leads to corruption of the mbuf
chain.
. 2007-03-05: Core develops proof of concept code that demonstrates
remote code execution in the kernel context by exploiting the mbuf
overflow.
. 2007-03-05: OpenBSD team notified of PoC availability.
. 2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source
tree branches and releases a "reliability fix" notice on the project's
website.
. 2007-03-08: Core sends final draft advisory to OpenBSD requesting
comments and official vendor fix/patch information.
. 2007-03-09: OpenBSD team changes notice on the project's website to
"security fix" and indicates that Core's advisory should reflect the
requirement of IPv6 connectivity for a successful attack from outside
of the local network.
. 2007-03-12: Advisory updates with fix and workaround information and
with IPv6 connectivity comments from OpenBSD team. The "vendors
contacted" section of the advisory is adjusted to reflect more
accurately the nature of the communications with the OpenBSD team
regarding this issue.
. 2007-03-12: Workaround recommendations revisited. It is not yet
conclusive that the "scrub in inet6" directive will prevent
exploitation. It effectively stops the bug from triggering according
to Core's tests but OpenBSD's source code inspection does not provide
a clear understanding of why that happens. It could just be that the
attack traffic is malformed in some other way that is not meaningful
for exploiting the vulnerability (an error in the exploit code rather
than an effective workaround?). The "scrub" workaround recommendation
is removed from the advisory as precaution.
. 2007-03-13: Core releases this advisory.

Release Mode: FORCED RELEASE

*Vulnerability Description*

The OpenBSD kernel contains a memory corruption vulnerability in the code that handles IPv6 packets. Exploitation of this vulnerability can result in:

1) Remote execution of arbitrary code at the kernel level on the vulnerable systems (complete system compromise), or;

2) Remote denial of service attacks against vulnerable systems (system crash due to a kernel panic)

The issue can be triggered by sending a specially crafted IPv6 fragmented packet.

OpenBSD systems using default installations are vulnerable because the default pre-compiled kernel binary (GENERIC) has IPv6 enabled and OpenBSD's firewall does not filter inbound IPv6 packets in its default configuration.

However, in order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network -in which case the attacking system does not need to have a working IPv6 stack- or the ability to route or tunnel IPv6 packets to the target from a remote network.

*Vulnerable Packages*

OpenBSD 4.1 prior to Feb. 26th, 2006.
OpenBSD 4.0 Current
OpenBSD 4.0 Stable
OpenBSD 3.9
OpenBSD 3.8
OpenBSD 3.6
OpenBSD 3.1

All other releases that implement the IPv6 protocol stack may be vulnerable.

*Solution/Vendor Information/Workaround*

The OpenBSD team has released a "security fix" to correct the mbuf problem, it is available as a source code patch for OpenBSD 4.0 and 3.9 here:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/010_m_dup1.patch

The patch can also be applied to previous versions of OpenBSD.

OpenBSD-current, 4.1, 4.0 and 3.9 have the fix incorporated in their source code tree and kernel binaries for those versions and the upcoming version 4.1 include the fix.

As a work around, users that do not need to process or route IPv6 traffic on their systems can block all inbound IPv6 packets using OpenBSD's firewall. This can be accomplished by adding the following line to /etc/pf.conf:

block in quick inet6 all

After adding the desired rules to pf.conf it is necessary to load them to the running PF using:

pfctl -f /etc/pf.conf

To enable PF use:
pfctl -e -f /etc/pf.conf

To check the status of PF and list all loaded rules use:
pfctl -s rules

Refer to the pf.conf(5) and pfctl( Cool

manpages for proper configuration and use of OpenBSD's firewall capabilities.

*Credits*

This vulnerability was found and researched by Alfredo Ortega from Core Security Technologies. The proof-of-concept code included in the advisory was developed by Alfredo Ortega with assistance from Mario Vilas and Gerardo Richarte.

*Technical Description - Exploit/Concept Code*

The vulnerability is due to improper handling of kernel memory buffers using mbuf structures. The vulnerability is triggered by OpenBSD-specific code at the mbuf layer and developed to accommodate the processing of IPv6 protocol packets.

By sending fragmented ICMPv6 packets an attacker can trigger an overflow of mbuf kernel memory structures resulting either in remote execution of arbitrary code in kernel mode or a kernel panic and subsequent system crash (a remote denial of service). Exploitation is accomplished by either:
1) Gaining control of execution flow by overwriting a function pointer, or;
2) Performing a mirrored 4 byte arbitrary memory overwrite similar to a user-space heap overflow.

The overflowed structure is an mbuf, the structure used to store network packets in kernel memory.

Posted: Wed Mar 14, 2007 4:00 am Post subject:

Oh well.. 2 holes is still not bad.

Posted: Wed Mar 14, 2007 5:25 am Post subject:

I :heart: my OpenBSD. Smile

This might affect FreeBSD also.

Posted: Wed Mar 14, 2007 6:16 am Post subject:

The streak had to end sometime.

That and IPv6 isn't mainstream anyways, so for 95% of the users out there, it wouldn't matter.