From nobody Wed Nov 30 22:47:05 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NMvTv4Fczz4jFQ5 for ; Wed, 30 Nov 2022 22:47:15 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NMvTt212Wz4JWQ for ; Wed, 30 Nov 2022 22:47:14 +0000 (UTC) (envelope-from marquis@roble.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=roble.com header.s=rs060402 header.b=iJuOo+6Q; spf=pass (mx1.freebsd.org: domain of marquis@roble.com designates 209.237.23.5 as permitted sender) smtp.mailfrom=marquis@roble.com; dmarc=pass (policy=none) header.from=roble.com Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 642DBE004 for ; Wed, 30 Nov 2022 14:47:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=roble.com; s=rs060402; t=1669848425; bh=sqbDQoSOTiNdQPopkPilQPX6qxTFmK4OgdFB3MW1FDA=; h=Date:From:To:Subject:In-Reply-To:References; b=iJuOo+6QNEyJA0pLHw0iZI68N/+KQtgSVFHzllxkW0x+imm3EZWvkDRcfZ48YMip+ eW7BnZS0O9LrzZ9Urk96ToFdQMzugkmsiTZMNI9WczpI0kPLGRmDytKfNGMul+sK6s yfJCBUd8XdNIVtbDLtm4JlbFQe1wjUIWWfKNM/SY= Date: Wed, 30 Nov 2022 14:47:05 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping In-Reply-To: <20221130223855.GA89753@spindle.one-eyed-alien.net> Message-ID: <9n9n775o-2rp4-5q7q-3500-61q18235qs5q@mx.roble.com> References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> <20221130223855.GA89753@spindle.one-eyed-alien.net> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-Spamd-Result: default: False [-4.00 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[roble.com,none]; R_SPF_ALLOW(-0.20)[+ip4:209.237.23.0/24]; R_DKIM_ALLOW(-0.20)[roble.com:s=rs060402]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[roble.com:+]; ARC_NA(0.00)[]; ASN(0.00)[asn:17403, ipnet:209.237.0.0/18, country:US]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4NMvTt212Wz4JWQ X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N Also note that the update can be as easy as: gitup src cd /usr/src make buildworld cd sbin/ping make install ls -l /sbin/ping /sbin/ping ... Roger Marquis > On Wed, Nov 30, 2022 at 05:03:10PM -0500, mike tancsa wrote: >> On 11/30/2022 4:58 PM, Dev Null wrote: >>> >>> Easily to exploit in a test environment, but difficult to be exploited >>> in the wild, since the flaw only can be exploited in the ICMP reply, >>> so the vulnerable machine NEEDS to make an ICMP request first. >>> >>> The attacker in this case, send a short reader in ICMP reply. >>> >> Lets say you know that some device regularly pings, say 8.8.8.8 as part >> of some connectivity check. If there is no stateful firewall, can the >> attacker not just forge the reply on the chance their attack packet >> could get there first ??? Or if its the case of "evil ISP" in the middle, >> it becomes even easier. At that point, how easy is it to actually do >> some sort of remote code execution. The SA implies there are mitigating >> techniques on the OS and in the app.?? I guess its that last part I am >> mostly unclear of, how difficult is the RCE if given the first >> requirement as a given. > > It's probably also worth considering it as a local privilege escalation > attack. The attacker will need to control a ping server, but it's often > the case that enough ICMP traffic is allowed out for that to work and in > that case they have unlimited tries to defeat any statistical mitigations > (unless the admin spots all the ping crashes). > > -- Brooks >