OpenBSD Journal

Remote openbsd crash with IPv6

Contributed by jose on from the dual-stack-networking dept.

Maarten writes: "Georgi Guninski (infamouse for finding Windows vulnerabilities) has found a flaw in the IPv6 stack on OpenBSD. On his site:

'It is possible to remotely crash openbsd 3.4 if the host receives icmpv6 and there is a listening tcp port.
quoting de raadt: "it is just a crash."
remote crash which screws the kernel.
unknown whether this may be exploited for code execution.'

More information on http://www.guninski.com/obsdmtu.html "

Note that this looks fixed in -current.

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    *ahem*

    [quote] You may not modify it and distribute it or distribute parts
    of it without the author's written permission - this especially applies to
    so called "vulnerabilities databases" and securityfocus, microsoft, cert
    and mitre. [/quote]

    Note that I am violating this too ;-)

    Comments
    1. By Anonymous Coward () on

      Hopefully he doesn't mind if we fix it =) The chap actually seems to have found more than one problem on OpenBSD at various points in time. It is a good thing that he isn't wasting all his time in the (soft target) Windows arena!

  2. By Anonymous Coward () on

    Any bugs like this are good, atleast they get fixed...

    Personally I haven't used IPv6 much yet so I've either always removed it from kernel on my OpenBSD boxes and/or filter IPv6 traffic that I don't use - yet.

    Comments
  3. By Kim () on

    quoting de raadt: "it is just a crash." I guess that's his way of saying he doesn't want to change the slogan.

    Comments
    1. By leonYendor () on

      So you have used it to get root remotely?
      More likely you don't know the diff between a root exploit and a crash.

    2. By Anonymous Coward () on

      its not a remote hole, it sticks software in a loop.

    3. By Anonymous Coward () on

      I think its his way of saying "it is just a crash".

  4. By Ed White () on http://hacking.openbsd.it


    OpenBSD comes with too many things enabled by default.

    IPv6 is one of those.

    I'll suggest to provide a GENERIC kernel with basic hardware support and other specific kernel like NetBSD does (LAPTOP, SMALL, ...)


    OpenBSD: open-source, closed-minded.

    Comments
    1. By Anonymous Coward () on

      You are probably right, IPv6 is not used widely enough for it to be put in GENERIC

    2. By kokamomi () on

      "OpenBSD comes with too many things enabled by default.

      IPv6 is one of those. "


      this attitude is probably the reason we don't have IPv6 everywhere.

      how's that for being closed-minded?

      Comments
      1. By clvrmnky () on http://www.ipv6.org/

        Well, if most of us *needed* IPv6, we'd be more inclined to use it.

        Providers generally do not support IPv6, and there is little incentive for even largish intranets to use it. There's just no reason to have it "everywhere".

        I mean, how many times have we looked at source a config file, or a man page and seen something that refers to IPv6, and just scanned over it looking for useful information?

        While I agree with the sentiment that GENERIC should exclude IPv6, I certainly do not agree with the OP's assertion about close-minded OpenBSD.

        Comments
        1. By Ed White () on http://hacking.openbsd.it


          closed-minded.

          They keep dropping patches and ideas.
          Most of the time without any explanation.

          An example:
          http://marc.theaimsgroup.com/?l=openbsd-pf&m=106667232319219&w=2


          That's why I don't send diff, only ideas.

    3. By Chad Loder () on

      I tend to agree. I always disable it anyways.

    4. By asdfg () on

      Just curious, what else do you feel should be disabled in the default install?

      Comments
      1. By Ed White () on http://hacking.openbsd.it

        Removed/disabled from kernel (GENERIC):

        IPv6, every sound device, radio, crypto accelerators, joystick, compat_*, lkm, kmemstats.
        Also ktrace and ptrace should be removed from a production system.


        Every service off by default. Only SSH daemon if the user choosed that during installation. Also syslogd should be updated or replaced. It still bind on 514 UDP.

        Comments
        1. By krh () on

          Changing GENERIC to BAREBONES and disabling a lot of services by default makes the system much, much, much less useful. As it is, a freshly-installed OpenBSD box is not only secure but is also useful. The slogan would be significantly less powerful if we shipped with everything off.

          As far as syslogd goes, read the code:


          i = recvfrom(pfd[PFD_INET].fd, line, MAXLINE, 0,
          (struct sockaddr *)&frominet, &len);
          if (SecureMode) {
          /* silently drop it */
          } else {


          I think it was art who told me that the reason syslogd opens 514/udp is so that it doesn't have to worry about opening and closing it if the configuration file is changed. If you're really that concerned about 514 being open, even if everything is discarded, use pf or hack the source.

    5. By Strog () on

      I use it all the time know several other people that do too. Let's just disable IPv4 and IPv6 in GENERIC and we can be sure it's all safe. :)

    6. By tedu () on

      the idea is one GENERIC kernel should be sufficient for as many users as possible.

      Comments
      1. By Ed White () on Http://hacking.openbsd.it


        This could be a good thing if everything would be disabled by default with a sysctl, like Compact_* on 3.4.

        Comments
        1. By tedu () on

          well, i haven't patched my system yet, so if you feel capable of sending naughty ip6 traffic to me, go ahead. :)

          Comments
          1. By mirabile () on

            Shame on deadly then for not logging our IP
            addresses, only the IPv4 ones... ;-)

  5. By LeonYendor () on

    already released a security errata for this issue:

    a security erratum
    several security errata
    Quidquid latine dictum sit, altum viditur.

    Comments
    1. By Anonymous Coward () on

      Oderint dum metuant.

      Comments
      1. By Anonymous Coward () on

        Sabinum sopranum dist!
        Carima davilum pest!

        OK, enough...

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]