Also note that the update can be as easy as:
gitup src
cd /usr/src
make buildworld
cd sbin/ping
make install
ls -l /sbin/ping
/sbin/ping ...
Roger Marquis
On Wed, Nov 30, 2022 at 05:03:10PM -0500, mike tancsa wrote:
On 11/30/2022 4:58 PM, Dev Null wrote:
Easily to exploit in a test environment, but difficult to be exploited
in the wild, since the flaw only can be exploited in the ICMP reply,
so the vulnerable machine NEEDS to make an ICMP request first.
The attacker in this case, send a short reader in ICMP reply.
Lets say you know that some device regularly pings, say 8.8.8.8 as part
of some connectivity check. If there is no stateful firewall, can the
attacker not just forge the reply on the chance their attack packet
could get there first ??? Or if its the case of "evil ISP" in the middle,
it becomes even easier. At that point, how easy is it to actually do
some sort of remote code execution. The SA implies there are mitigating
techniques on the OS and in the app.?? I guess its that last part I am
mostly unclear of, how difficult is the RCE if given the first
requirement as a given.
It's probably also worth considering it as a local privilege escalation
attack. The attacker will need to control a ping server, but it's often
the case that enough ICMP traffic is allowed out for that to work and in
that case they have unlimited tries to defeat any statistical mitigations
(unless the admin spots all the ping crashes).
-- Brooks
