From nobody Thu Dec 1 15:27:44 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NNKhj29pmz4jV2K for ; Thu, 1 Dec 2022 15:28:05 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NNKhj05NYz46Zy; Thu, 1 Dec 2022 15:28:04 +0000 (UTC) (envelope-from mike@sentex.net) Authentication-Results: mx1.freebsd.org; none Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 2B1FRi8Q012690 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL); Thu, 1 Dec 2022 10:27:44 -0500 (EST) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:f844:467d:3d45:5f70] ([IPv6:2607:f3e0:0:4:f844:467d:3d45:5f70]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 2B1FRio3013987 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Thu, 1 Dec 2022 10:27:44 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <4ce47f73-c48f-22f6-e0c0-0bd03452bcda@sentex.net> Date: Thu, 1 Dec 2022 10:27:44 -0500 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping Content-Language: en-US To: Brooks Davis Cc: Dev Null , freebsd-security@freebsd.org References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> <20221130223855.GA89753@spindle.one-eyed-alien.net> From: mike tancsa In-Reply-To: <20221130223855.GA89753@spindle.one-eyed-alien.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.84 X-Rspamd-Queue-Id: 4NNKhj05NYz46Zy X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On 11/30/2022 5:38 PM, Brooks Davis wrote: > It's probably also worth considering it as a local privilege escalation > attack. The attacker will need to control a ping server, but it's often > the case that enough ICMP traffic is allowed out for that to work and in > that case they have unlimited tries to defeat any statistical mitigations > (unless the admin spots all the ping crashes). My concern is the "evil server in the middle" ... Things like route highjacking are not that uncommon. I have a number of IoT devices out there I will need to patch, some still based on RELENG_11.  The patch doesnt apply cleanly, but looking at the source code, there are a bunch of spots where #ifdef IP_OPTIONS If I put on the top of sbin/ping.c undef IP_OPTIONS will the code that is problematic get compiled out and avoid the issue ? ping.c:#ifdef IP_OPTIONS ping.c:#ifdef IP_OPTIONS ping.c:         if (setsockopt(ssend, IPPROTO_IP, IP_OPTIONS, rspace, ping.c:                 err(EX_OSERR, "setsockopt IP_OPTIONS"); ping.c:#endif /* IP_OPTIONS */ For now, I would rather push a patched ping which I can do quickly to a few hundred devices     ---Mike