From nobody Thu Dec 8 16:38:07 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NSfwM43hyz4jtVg for ; Thu, 8 Dec 2022 16:38:11 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NSfwL5wPhz42JV; Thu, 8 Dec 2022 16:38:10 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of cy.schubert@cschubert.com has no SPF policy when checking 3.97.99.32) smtp.mailfrom=cy.schubert@cschubert.com; dmarc=none Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142]) by cmsmtp with ESMTP id 3HctpgCI6MsxD3JuUpC6NE; Thu, 08 Dec 2022 16:38:10 +0000 Received: from spqr.komquats.com ([70.66.148.124]) by cmsmtp with ESMTPA id 3JuSpooItibmA3JuTpEI3A; Thu, 08 Dec 2022 16:38:10 +0000 X-Authority-Analysis: v=2.4 cv=YPCMdDKx c=1 sm=1 tr=0 ts=639212f2 a=Cwc3rblV8FOMdVN/wOAqyQ==:117 a=Cwc3rblV8FOMdVN/wOAqyQ==:17 a=kj9zAlcOel0A:10 a=sHyYjHe8cH0A:10 a=y3olD_i8AAAA:8 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=le4KEiomOWmtCBGRa-AA:9 a=CjuIK1q_8ugA:10 a=2GdgqtpztZvaxdPX1XqS:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 3674D194; Thu, 8 Dec 2022 08:38:08 -0800 (PST) Received: by slippy.cwsent.com (Postfix, from userid 1000) id EE91F7C; Thu, 8 Dec 2022 08:38:07 -0800 (PST) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Brooks Davis cc: mike tancsa , Dev Null , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping In-reply-to: <20221130223855.GA89753@spindle.one-eyed-alien.net> References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> <20221130223855.GA89753@spindle.one-eyed-alien.net> Comments: In-reply-to Brooks Davis message dated "Wed, 30 Nov 2022 22:38:55 +0000." List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 08 Dec 2022 08:38:07 -0800 Message-Id: <20221208163807.EE91F7C@slippy.cwsent.com> X-CMAE-Envelope: MS4xfLv0QEEnGV48GfpudXqvnurDY9Kkh9f6lGIXOLSrnU9ZITid1XUyRJ0YLIf3c/VYu7j38OJGFE99cDnOQ9paBOJcDjZDO5ZqPQZTtNIxXlQ/X1daJyf0 GHaXKb2ag8KNOXGkAqIZuJyAvF0mzkalPU7BNSgv0bm/RJ5U2XEKJwYlme/TihHMJ+ufgo+NMATW5KAEnQxCYTgHfko9dE5NcePdenocnzosBchPjtknhoGZ EOkLHr6CXUXTpV8XCu+LoyjU2PErD3F955f1kZBXXoqM3SSe754j0dGZ9m6mo0J+ X-Spamd-Result: default: False [-1.69 / 15.00]; AUTH_NA(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.992]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.32:from]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; R_SPF_NA(0.00)[no SPF record]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_LAST(0.00)[]; REPLYTO_EQ_FROM(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[cschubert.com: no valid DMARC record]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com] X-Rspamd-Queue-Id: 4NSfwL5wPhz42JV X-Spamd-Bar: - X-ThisMailContainsUnwantedMimeParts: N In message <20221130223855.GA89753@spindle.one-eyed-alien.net>, Brooks Davis wr ites: > > --pWyiEgJYm5f9v55/ > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Wed, Nov 30, 2022 at 05:03:10PM -0500, mike tancsa wrote: > > On 11/30/2022 4:58 PM, Dev Null wrote: > > > > > > Easily to exploit in a test environment, but difficult to be exploited= > =20 > > > in the wild, since the flaw only can be exploited in the ICMP reply,=20 > > > so the vulnerable machine NEEDS to make an ICMP request first. > > > > > > The attacker in this case, send a short reader in ICMP reply. > > > > > Lets say you know that some device regularly pings, say 8.8.8.8 as part= > =20 > > of some connectivity check. If there is no stateful firewall, can the=20 > > attacker not just forge the reply on the chance their attack packet=20 > > could get there first ??? Or if its the case of "evil ISP" in the middle,= > =20 > > it becomes even easier. At that point, how easy is it to actually do=20 > > some sort of remote code execution. The SA implies there are mitigating= > =20 > > techniques on the OS and in the app.?? I guess its that last part I am=20 > > mostly unclear of, how difficult is the RCE if given the first=20 > > requirement as a given. > > It's probably also worth considering it as a local privilege escalation > attack. The attacker will need to control a ping server, but it's often > the case that enough ICMP traffic is allowed out for that to work and in > that case they have unlimited tries to defeat any statistical mitigations > (unless the admin spots all the ping crashes). Local privilege escalations are significant threats. I recall one site about 25-30 years ago, one of their OSF/1 machines had crashed and never recovered. It turned out that some intruder managed to break a CGI script which gave them a shell. They attempted a ping exploit which hung the machine hard. After a little digging around I discovered a ping exploit for Tru64. The exploit should have coughed up a root shell but in my client's case they lucked out with a crashed machine instead. That same site had atrocious practices. They gave their CEO an account on the OSF/1 machine with the account name of ceo and a password of, you guessed it, ceo. The CEO never logged in once -- as if the CEO would log into some random UNIX box on the raised floor. I was surprised they didn't get broken into more often than the number of times they did. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0