Subject: main_fracas
To: None <port-mac68k@netbsd.org>
From: T@W <lsp93@xs4all.nl>
List: port-mac68k
Date: 05/10/2000 21:10:39
For convenience forwarded by me from:
http://www.newhackcity.net
******************************************************************************
* advisory_id:20000504a.0 release_date:2000-05-04 *
* *
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*
* main_fracas: *
* It is possible to cause a kernel panic on systems running NetBSD *
* by sending a packet remotely with an unaligned IP Timestamp option. *
* *
* affected_configurations: *
* NetBSD 1.4.x on SPARC and Alpha platforms were tested and found to be *
* vulnerable. Any platform where a page fault is caused by an unaligned *
* memory access should also be vulnerable. *
* *
* unaffected_configurations: *
* NetBSD 1.4.x on arm32 and x86 platforms were tested and found to not *
* panic. However, this is only because these (and a few other untested) *
* platforms do not page fault on unaligned memory accesses. *
* *
* notification: *
* This was originally reported to the NetBSD Security Alerts mailing list on *
* March 1, 2000, which was before the release of NetBSD 1.4.2. *
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*
* --<<instructions 4 reproduction>>-- *
* *
* 1. Download, compile, and install libnet. It can be obtained from *
* http://www.packetfactory.net *
* *
* 2. Download and compile the ISIC suite of utilities. They are at *
* http://expert.cc.purdue.edu/~frantzen *
* *
* 3. After compiling the isic utilities, run the following from your shell *
* of choice: *
* 'icmpsic -s source -d dest -r 31337 -k 218504 -p 218505' *
* *
* where source is the source IP address (spoofed addresses work just fine), *
* and dest is the IP address of the NetBSD machine. *
* *
* NOTE: For whatever reason, Linux mangles this packet before sending it. We *
* have found that it does work correctly when sent from FreeBSD x86, NetBSD *
* x86, and NetBSD arm32. *
* *
* *
* Result: *
* On the vulnerable platforms tested (listed above), a kernel panic results *
* from an unaligned memory access. Because of the ability to spoof the *
* packet, and the relative small packet size, an attacker could easily *
* crash many NetBSD machines on a given subnet with minimal effort. *
*IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*