From nobody Wed Nov 30 22:38:55 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NMvJR0HXZz4jDHP for ; Wed, 30 Nov 2022 22:39:03 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4NMvJQ56dNz4FSG for ; Wed, 30 Nov 2022 22:39:02 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Authentication-Results: mx1.freebsd.org; none Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id 491A03C0199; Wed, 30 Nov 2022 22:38:55 +0000 (UTC) Date: Wed, 30 Nov 2022 22:38:55 +0000 From: Brooks Davis To: mike tancsa Cc: Dev Null , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping Message-ID: <20221130223855.GA89753@spindle.one-eyed-alien.net> References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline In-Reply-To: <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> User-Agent: Mutt/1.9.4 (2018-02-28) X-Rspamd-Queue-Id: 4NMvJQ56dNz4FSG X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:36236, ipnet:199.48.128.0/22, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 30, 2022 at 05:03:10PM -0500, mike tancsa wrote: > On 11/30/2022 4:58 PM, Dev Null wrote: > > > > Easily to exploit in a test environment, but difficult to be exploited= =20 > > in the wild, since the flaw only can be exploited in the ICMP reply,=20 > > so the vulnerable machine NEEDS to make an ICMP request first. > > > > The attacker in this case, send a short reader in ICMP reply. > > > Lets say you know that some device regularly pings, say 8.8.8.8 as part= =20 > of some connectivity check. If there is no stateful firewall, can the=20 > attacker not just forge the reply on the chance their attack packet=20 > could get there first ??? Or if its the case of "evil ISP" in the middle,= =20 > it becomes even easier. At that point, how easy is it to actually do=20 > some sort of remote code execution. The SA implies there are mitigating= =20 > techniques on the OS and in the app.?? I guess its that last part I am=20 > mostly unclear of, how difficult is the RCE if given the first=20 > requirement as a given. It's probably also worth considering it as a local privilege escalation attack. The attacker will need to control a ping server, but it's often the case that enough ICMP traffic is allowed out for that to work and in that case they have unlimited tries to defeat any statistical mitigations (unless the admin spots all the ping crashes). -- Brooks --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJjh9t+AAoJEKzQXbSebgfASvIH/jNVfXbAcuK9GcxBn+EaJIxk 3bVFou5EfndYTtLjl+6zIOAnFs3qFcy1IuQoz7WW14m0a8XhLDUd18eF/spVSTOc bJ1Rfqc65rwpYD0/f/R3qH4k//eF1lrb0t0JEAbCUwNTZ5ciklhBlANtPYuzCyJy M6kIl5v8My8IV3ZlioGJs7aNOXI5SJc8cP76DxsqfUzmeP4EFk/Nwaf2wlAEBaH9 YgZocCRoY+xlUOi4SZc3kdPDvUh1F3kGr98tqZJtwLn0uyvmaWmZcsvwwRkel++Z 9PzbgwYKUAl3F7x9iMVef1VOVmGP1PennSNNVSF8Tya31495H8szELrLTgnI8do= =ewxW -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/--