Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping

In reply to: Brooks Davis : "Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Thu, 08 Dec 2022 16:38:07 UTC
In message <20221130223855.GA89753@spindle.one-eyed-alien.net>, Brooks 
Davis wr
ites:
> 
> --pWyiEgJYm5f9v55/
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
>
> On Wed, Nov 30, 2022 at 05:03:10PM -0500, mike tancsa wrote:
> > On 11/30/2022 4:58 PM, Dev Null wrote:
> > >
> > > Easily to exploit in a test environment, but difficult to be exploited=
> =20
> > > in the wild, since the flaw only can be exploited in the ICMP reply,=20
> > > so the vulnerable machine NEEDS to make an ICMP request first.
> > >
> > > The attacker in this case, send a short reader in ICMP reply.
> > >
> > Lets say you know that some device regularly pings, say 8.8.8.8 as part=
> =20
> > of some connectivity check. If there is no stateful firewall, can the=20
> > attacker not just forge the reply on the chance their attack packet=20
> > could get there first ??? Or if its the case of "evil ISP" in the middle,=
> =20
> > it becomes even easier. At that point, how easy is it to actually do=20
> > some sort of remote code execution. The SA implies there are mitigating=
> =20
> > techniques on the OS and in the app.?? I guess its that last part I am=20
> > mostly unclear of, how difficult is the RCE if given the first=20
> > requirement as a given.
>
> It's probably also worth considering it as a local privilege escalation
> attack.  The attacker will need to control a ping server, but it's often
> the case that enough ICMP traffic is allowed out for that to work and in
> that case they have unlimited tries to defeat any statistical mitigations
> (unless the admin spots all the ping crashes).

Local privilege escalations are significant threats. I recall one site 
about 25-30 years ago, one of their OSF/1 machines had crashed and never 
recovered. It turned out that some intruder managed to break a CGI script 
which gave them a shell. They attempted a ping exploit which hung the 
machine hard. After a little digging around I discovered a ping exploit for 
Tru64. The exploit should have coughed up a root shell but in my client's 
case they lucked out with a crashed machine instead.

That same site had atrocious practices. They gave their CEO an account on 
the OSF/1 machine with the account name of ceo and a password of, you 
guessed it, ceo. The CEO never logged in once -- as if the CEO would log 
into some random UNIX box on the raised floor. I was surprised they didn't 
get broken into more often than the number of times they did.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=0