Date: Thu, 08 Dec 2022 08:38:07 -0800 From: Cy Schubert <Cy.Schubert@cschubert.com> To: Brooks Davis <brooks@freebsd.org> Cc: mike tancsa <mike@sentex.net>, Dev Null <devnull@apt322.org>, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping Message-ID: <20221208163807.EE91F7C@slippy.cwsent.com> In-Reply-To: <20221130223855.GA89753@spindle.one-eyed-alien.net> References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> <e9a7b2ca-a4a4-5b99-f915-0db46b60d1e8@apt322.org> <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> <20221130223855.GA89753@spindle.one-eyed-alien.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20221130223855.GA89753@spindle.one-eyed-alien.net>, Brooks Davis wr ites: > > --pWyiEgJYm5f9v55/ > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Wed, Nov 30, 2022 at 05:03:10PM -0500, mike tancsa wrote: > > On 11/30/2022 4:58 PM, Dev Null wrote: > > > > > > Easily to exploit in a test environment, but difficult to be exploited= > =20 > > > in the wild, since the flaw only can be exploited in the ICMP reply,=20 > > > so the vulnerable machine NEEDS to make an ICMP request first. > > > > > > The attacker in this case, send a short reader in ICMP reply. > > > > > Lets say you know that some device regularly pings, say 8.8.8.8 as part= > =20 > > of some connectivity check. If there is no stateful firewall, can the=20 > > attacker not just forge the reply on the chance their attack packet=20 > > could get there first ??? Or if its the case of "evil ISP" in the middle,= > =20 > > it becomes even easier. At that point, how easy is it to actually do=20 > > some sort of remote code execution. The SA implies there are mitigating= > =20 > > techniques on the OS and in the app.?? I guess its that last part I am=20 > > mostly unclear of, how difficult is the RCE if given the first=20 > > requirement as a given. > > It's probably also worth considering it as a local privilege escalation > attack. The attacker will need to control a ping server, but it's often > the case that enough ICMP traffic is allowed out for that to work and in > that case they have unlimited tries to defeat any statistical mitigations > (unless the admin spots all the ping crashes). Local privilege escalations are significant threats. I recall one site about 25-30 years ago, one of their OSF/1 machines had crashed and never recovered. It turned out that some intruder managed to break a CGI script which gave them a shell. They attempted a ping exploit which hung the machine hard. After a little digging around I discovered a ping exploit for Tru64. The exploit should have coughed up a root shell but in my client's case they lucked out with a crashed machine instead. That same site had atrocious practices. They gave their CEO an account on the OSF/1 machine with the account name of ceo and a password of, you guessed it, ceo. The CEO never logged in once -- as if the CEO would log into some random UNIX box on the raised floor. I was surprised they didn't get broken into more often than the number of times they did. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e^(i*pi)+1=0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20221208163807.EE91F7C>