Date: Wed, 30 Nov 2022 14:47:05 -0800 (PST) From: Roger Marquis <marquis@roble.com> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping Message-ID: <9n9n775o-2rp4-5q7q-3500-61q18235qs5q@mx.roble.com> In-Reply-To: <20221130223855.GA89753@spindle.one-eyed-alien.net> References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> <e9a7b2ca-a4a4-5b99-f915-0db46b60d1e8@apt322.org> <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> <20221130223855.GA89753@spindle.one-eyed-alien.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Also note that the update can be as easy as: gitup src cd /usr/src make buildworld cd sbin/ping make install ls -l /sbin/ping /sbin/ping ... Roger Marquis > On Wed, Nov 30, 2022 at 05:03:10PM -0500, mike tancsa wrote: >> On 11/30/2022 4:58 PM, Dev Null wrote: >>> >>> Easily to exploit in a test environment, but difficult to be exploited >>> in the wild, since the flaw only can be exploited in the ICMP reply, >>> so the vulnerable machine NEEDS to make an ICMP request first. >>> >>> The attacker in this case, send a short reader in ICMP reply. >>> >> Lets say you know that some device regularly pings, say 8.8.8.8 as part >> of some connectivity check. If there is no stateful firewall, can the >> attacker not just forge the reply on the chance their attack packet >> could get there first ??? Or if its the case of "evil ISP" in the middle, >> it becomes even easier. At that point, how easy is it to actually do >> some sort of remote code execution. The SA implies there are mitigating >> techniques on the OS and in the app.?? I guess its that last part I am >> mostly unclear of, how difficult is the RCE if given the first >> requirement as a given. > > It's probably also worth considering it as a local privilege escalation > attack. The attacker will need to control a ping server, but it's often > the case that enough ICMP traffic is allowed out for that to work and in > that case they have unlimited tries to defeat any statistical mitigations > (unless the admin spots all the ping crashes). > > -- Brooks >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9n9n775o-2rp4-5q7q-3500-61q18235qs5q>