On Sun, Oct 24, 2010 at 8:28 PM, coderman <[email protected]> wrote: > ... > 1. remote ring0 do happen, c.f. CORE-2007-0219: OpenBSD's IPv6 mbufs > remote kernel buffer overflow.
Forgot to link to the announce in question; it is worthy of a read if only to emphasize why any claim of immunity from a broad class of threats with blanket assurance is a strong claim best made after thorough and extensive effort to prove it to yourself via technical applied testing and measurement. http://www.coresecurity.com/content/open-bsd-advisorie "OpenBSD's IPv6 mbufs remote kernel buffer overflow" 2007-02-20: First notification sent by Core. 2007-02-20: Acknowledgement of first notification received from the OpenBSD team. ... 2007-02-26: OpenBSD team communicates that the issue is specific to OpenBSD. OpenBSD no longer uses the term "vulnerability" when referring to bugs that lead to a remote denial of service attack, as opposed to bugs that lead to remote control of vulnerable systems... 2007-03-05: Core develops proof of concept code that demonstrates remote code execution in the kernel context by exploiting the mbuf overflow. 2007-03-05: OpenBSD team notified of PoC availability. 2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source tree branches and releases a "reliability fix" notice on the project's website. ... The OpenBSD kernel contains a memory corruption vulnerability in the code that handles IPv6 packets. Exploitation of this vulnerability can result in: 1) Remote execution of arbitrary code at the kernel level on the vulnerable systems (complete system compromise), or; 2) Remote denial of service attacks against vulnerable systems (system crash due to a kernel panic) The issue can be triggered by sending a specially crafted IPv6 fragmented packet. OpenBSD systems using default installations are vulnerable because the default pre-compiled kernel binary (GENERIC) has IPv6 enabled and OpenBSD's firewall does not filter inbound IPv6 packets in its default configuration. However, in order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. ... """ *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
