From owner-freebsd-net  Tue Jan  7 19:44:54 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 54FCC37B401; Tue,  7 Jan 2003 19:44:53 -0800 (PST)
Received: from mta7.pltn13.pbi.net (mta7.pltn13.pbi.net [64.164.98.8])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 0902343ED4; Tue,  7 Jan 2003 19:44:53 -0800 (PST)
	(envelope-from mbsd@pacbell.net)
Received: from atlas ([64.168.24.241])
 by mta7.pltn13.pbi.net (iPlanet Messaging Server 5.1 HotFix 1.6 (built Oct 18
 2002)) with ESMTP id <0H8D00G7EMESDG@mta7.pltn13.pbi.net>; Tue,
 07 Jan 2003 19:44:52 -0800 (PST)
Date: Tue, 07 Jan 2003 19:44:52 -0800 (PST)
From: =?ISO-8859-1?Q?Mikko_Ty=F6l=E4j=E4rvi?= <mikko@rsasecurity.com>
Subject: Re: @stake advisory: etherleak
In-reply-to: <Pine.BSF.4.21.0301071757500.15904-100000@root.org>
X-X-Sender: mikko@atlas.home
To: Nate Lawson <nate@root.org>
Cc: Bosko Milekic <bmilekic@unixdaemons.com>, security@freebsd.org,
	net@freebsd.org
Message-id: <20030107192435.B70415-100000@atlas.home>
MIME-version: 1.0
Content-type: TEXT/PLAIN; charset=ISO-8859-1
Content-transfer-encoding: 8BIT
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Tue, 7 Jan 2003, Nate Lawson wrote:

> On Tue, 7 Jan 2003, Bosko Milekic wrote:

[...]

> >  An "attacker" might as well just
> >   rely on temperature to guess at how to interpret what he/she's seeing
> >   in those few bytes.  The data in our case is probably DMA'd straight
> >   out of the mbuf's data region so what you'll probably find in there is
> >   just randomness from something before, not necessarily network data.
>
> Since the mbuf pool is statically allocated at boot, it's likely only mbuf
> hdrs or contents would leak this way.  Still, this is data leakage even
> though it's a small channel.

This is definitely a security problem.  It is also not new.  First
time I saw it was over five years ago; we could "poll" data from
machines running various unix flavours.  Just by pinging them we got
snippets of data from inside the kernel of the target machine,
including data from local connections and pipes.

It was actually pretty easy to demonstrate significant leakage of
recognizable information.

   $.02,
   /Mikko

P.S. "rl" bzeros padding.

 Mikko Työläjärvi_______________________________________mikko@rsasecurity.com
 RSA Security


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message