Remote Exploit Discovered for OpenBSD

An anonymous reader writes "OpenBSD is known for its security policies, and for its boast of "only one remote exploit in over 10 years". Well, make that two, because Core Security has found a remotely exploitable buffer overflow in the OpenBSD kernel. Upgrade your firewalls as soon as possible."

WHOA WTF

freakin rare event, hell must have frozen over! /me takes a snapshot of the moment and feels badly for all the BSD-folk

Re:WHOA WTF

You Linux pups seem to think bugs are normal events.

When was the last time a remote root exploit was found in the Linux kernel?

There (probably) was one in November 2004

See http://www.ubuntu.com/usn/usn-30-1 [ubuntu.com]; something like 7 vulnerabilities [theaimsgroup.com] were found in the kernel's smbfs driver which could be used for remote DoS and potentially for remote root, at least on some configurations (the Linux community decided to fix the bugs instead of waiting for exploit code to appear). There may have been other remote root exploits since then -- I haven't been keeping track.

Time to make a list...

-The Sox won the world series
-The Pope died
-Mac got Intel chips
-The Berlin Wall came down
-I out-lived 4 cats
-Man walked on the moon
-I got laid
and...
-BSD had a hole

Re:Time to make a list...

Do the facts that you got laid and that BSD had a hole have anything to do with each other ? Just asking - kids these days...

Re:WHOA WTF

If the team were as security conscious as you claim, they wouldn't have simply dismissed it and would have given the issue more serious consideration.

They didn't simply dismiss it. They fixed the bug. At that point the question of how severe the vulnerability is only affects how critical getting the patch for the bug is. Being security conscious, they don't want to push out a patch without sufficient testing -- possibly causing new vulnerabilities -- unless they have to. When shown that the issue was in fact a remote exploit, they did not dismiss the issue then either, they upgraded the status of the issue and marked the patch as urgent.

All of this is perfectly consistent with security consciousness.

A team which does not take security seriously would have denied that there was a bug at all, would not have the fix, and would have found a way to claim that despite being shown exploit code for a remote vulnerability, it wasn't in fact a big deal. But that isn't what happened.

I've always thought of the BSDs (Net and Open anyway) as a smaller attack vector, nothing inherently more secure. They don't have a monopoly on smart developers and all humans make mistakes.

It is foolish to think that because all humans make mistakes, all humans make the same number and severity of mistakes, and have the same methods of identifying and correcting mistakes. For the same reason, it is foolish to think that because all software has bugs, that all software is equally buggy and the bugs are of equal severity. It is the attention payed to security, the methodologies of writing secure code, that help prevent bugs and make code that is truly inherently more secure.

OpenBSD gets a lot of scrutiny in the security world exactly for the reason that people deploy it because of its security. It may be a smaller attack vector due to market share, and due to it being harder to crack than what your typical army of script kiddies can handle. This does not mean it is not thoroughly poked and prodded by experts, nor does it mean that inherently superior security is an illusion.

Re:WHOA WTF

It was 81 degrees F in New Jersey [wunderground.com] yesterday, so hell didn't freeze over.

Heh

From TFA:

Remotely Exploitable: Yes
Locally Exploitable: No

That right there is the biggest slap in the face! Everyone should have the freedom to fux0r their own machine!

Opensource my ass...

Well done, the OpenBSD team.

Well done. It's not an easy feat to create an OS with so little exploits. The team and Microsoft should take a leaf out of your book.

Re:Well done, the OpenBSD team.

You think the problem is that Microsoft can't create a secure OS? You don't think the problem is all the legacy crap, and the everything under the sun and everything to everyone demands placed upon it? Not that what OpenBSD has achieved as a track record isn't impressive. But serving one master (of one's own choosing) well, it not the same thing as being the most favored servent to the most masters.

Re:Well done, the OpenBSD team.

I heard a rumour that Microsoft did indeed look to the idea of emulating OpenBSD's security practices as a company.

Then someone pointed out the respective revenues of OpenBSD vs Microsoft, and the whole idea just seemed to evaporate.

Someone decided that people don't care enough about the number of remote exploits found in a given OS. They were probably right.

Re:Well done, the OpenBSD team.

I heard a rumour that Microsoft did indeed look to the idea of emulating OpenBSD's security practices as a company.

Then someone pointed out the respective revenues of OpenBSD vs Microsoft, and the whole idea just seemed to evaporate.

My company makes far more than the OpenBSD team brings in, and yet we still respect them and try to emulate their practices. I'm not sure what kind of hubris it takes to dismiss someone's ideas just because you have more money.

Re:Well done, the OpenBSD team.

It is when basically the only thing your OS does "in the default install" is allow SSH logins.

Which is more remote access than a default install of Windos contains. ;-)

Ok, make that "more intentional remote access"...

Re:Well done, the OpenBSD team.

The default install of OpenBSD includes (from memory, so this is not exhaustive) SSHd, bind, apache and sendmail, all of which are included in the term 'Only two remote holes in the default install' - those codebases are as rigourously audited as anything else.

Re:Well done, the OpenBSD team.

Note that many Sendmail and Apache exploits do not affect OpenBSD, for two reasons:

1. The kernel contains a lot of exploit mitigation stuff, that may well turn an arbitrary code execution into a DoS.
2. OpenBSD doesn't actually include Sendmail or Apache, it includes forks of both. These are heavily audited by the OpenBSD guys, and not all of the changes are merged upstream.

When a new category of bug is found in OpenBSD, the entire tree is searched for occurrences of it. This often means that seemingly innocuous changes in something like OpenBSD's httpd turn out to have fixed things that are later found to be security holes.

Re:Well done, the OpenBSD team.

Could this be a sign of overconfidence in the Linux community?

Not really, since this has nothing to do with Linux. It's OpenBSD, not Linux.

Re:Well done, the OpenBSD team.

The thing is, it doesn't matter. The OpenBSD folk treat pretty much every bug as a security hole. I heard one of them say this, which I think should be taken to heart by all software developers:

The only difference between a bug and a security hole is the intelligence of the attacker.

As such, the hole was patched when they thought it was just a DoS. All escalating it does is encourage admins not to actually apply the patches.

It's a feature

Vulnerability Description
The OpenBSD kernel contains a memory corruption vulnerability in the code that handles IPv6 packets. Exploitation of this vulnerability can result in:
1) Remote execution of arbitrary code at the kernel level on the vulnerable systems (complete system compromise), or;
2) Remote denial of service attacks against vulnerable systems (system crash due to a kernel panic)

I think they just found the Windows2003 Server Emulator.

Re:It's a feature

I think they just found the Windows2003 Server Emulator.

Joking aside, finding a bug in BSD networking code could indeed mean that various Windows versions have that very same bug. Hats, to your keyboards!

Some amusing interchanges b/t OpenBSD and CoreLabs

* 2007-02-20: First notification sent by Core.
* 2007-02-20: Acknowledgement of first notification received from the OpenBSD team.
* 2007-02-21: Core sends draft advisory and proof of concept code that demonstrates remote kernel panic.
* 2007-02-26: OpenBSD team develops a fix and commits it to the HEAD branch of source tree.
* 2007-02-26: OpenBSD team communicates that the issue is specific to OpenBSD. OpenBSD no longer uses the term "vulnerability" when referring to bugs that lead to a remote denial of service attack, as opposed to bugs that lead to remote control of vulnerable systems to avoid oversimplifying ("pablumfication") the use of the term.
* 2007-02-26: Core email sent to OpenBSD team explaining that Core considers a remote denial of service a security issue and therefore does use the term "vulnerability" to refer to it and that although remote code execution could not be proved in this specific case, the possibility should not be discarded. Core requests details about the bug and if possible an analysis of why the OpenBSD team may or may not consider the bug exploitable for remote code execution.
* 2007-02-28: OpenBSD team indicates that the bug results in corruption of mbuf chains and that only IPv6 code uses that mbuf code, there is no user data in the mbuf header fields that become corrupted and it would be surprising to be able to run arbitrary code using a bug so deep in the mbuf code. The bug simply leads to corruption of the mbuf chain.
* 2007-03-05: Core develops proof of concept code that demonstrates remote code execution in the kernel context by exploiting the mbuf overflow.
* 2007-03-05: OpenBSD team notified of PoC availability.
* 2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source tree branches and releases a "reliability fix" notice on the project's website.
* 2007-03-08: Core sends final draft advisory to OpenBSD requesting comments and official vendor fix/patch information.
* * 2007-03-09: OpenBSD team changes notice on the project's website to "security fix" and indicates that Core's advisory should reflect the requirement of IPv6 connectivity for a successful attack from outside of the local network.
* 2007-03-12: Advisory updates with fix and workaround information and with IPv6 connectivity comments from OpenBSD team. The "vendors contacted" section of the advisory is adjusted to reflect more accurately the nature of the communications with the OpenBSD team regarding this issue.
* 2007-03-12: Workaround recommendations revisited. It is not yet conclusive that the "scrub in inet6" directive will prevent exploitation. It effectively stops the bug from triggering according to Core's tests but OpenBSD's source code inspection does not provide a clear understanding of why that happens. It could just be that the attack traffic is malformed in some other way that is not meaningful for exploiting the vulnerability (an error in the exploit code rather than an effective workaround?). The "scrub" workaround recommendation is removed from the advisory as precaution.
* 2007-03-13: Core releases this advisory.



Got owned, OpenBSD? /I kid I kid

Advisory Timeline

I'm a bit surprised that the summary didn't mention the rather interesting timeline in the Core advisory [seclists.org], which implies an attempted cover up. I don't know all the facts, so I'll let the document speak for itself:

• 2007-02-20: First notification sent by Core.
• 2007-02-20: Acknowledgement of first notification received from the OpenBSD team.
• 2007-02-21: Core sends draft advisory and proof of concept code that demonstrates remote kernel panic.
• 2007-02-26: OpenBSD team develops a fix and commits it to the HEAD branch of source tree.
• 2007-02-26: OpenBSD team communicates that the issue is specific to OpenBSD. OpenBSD no longer uses the term "vulnerability" when referring to bugs that lead to a remote denial of service attack, as opposed to bugs that lead to remote control of vulnerable systems to avoid oversimplifying ("pablumfication") the use of the term.
• 2007-02-26: Core email sent to OpenBSD team explaining that Core considers a remote denial of service a security issue and therefore does use the term "vulnerability" to refer to it and that although remote code execution could not be proved in this specific case, the possibility should not be discarded. Core requests details about the bug and if possible an analysis of why the OpenBSD team may or may not consider the bug exploitable for remote code execution.
• 2007-02-28: OpenBSD team indicates that the bug results in corruption of mbuf chains and that only IPv6 code uses that mbuf code, there is no user data in the mbuf header fields that become corrupted and it would be surprising to be able to run arbitrary code using a bug so deep in the mbuf code. The bug simply leads to corruption of the mbuf chain.
• 2007-03-05: Core develops proof of concept code that demonstrates remote code execution in the kernel context by exploiting the mbuf overflow.
• 2007-03-05: OpenBSD team notified of PoC availability.
• 2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source tree branches and releases a "reliability fix" notice on the project's website.
• 2007-03-08: Core sends final draft advisory to OpenBSD requesting comments and official vendor fix/patch information.
• 2007-03-09: OpenBSD team changes notice on the project's website to "security fix" and indicates that Core's advisory should reflect the requirement of IPv6 connectivity for a successful attack from outside of the local network. 2007-03-12: Advisory updates with fix and workaround information and with IPv6 connectivity comments from OpenBSD team. The "vendors contacted" section of the advisory is adjusted to reflect more accurately the nature of the communications with the OpenBSD team regarding this issue.
• 2007-03-12: Workaround recommendations revisited. It is not yet conclusive that the "scrub in inet6" directive will prevent exploitation. It effectively stops the bug from triggering according to Core's tests but OpenBSD's source code inspection does not provide a clear understanding of why that happens. It could just be that the attack traffic is malformed in some other way that is not meaningful for exploiting the vulnerability (an error in the exploit code rather than an effective workaround?). The "scrub" workaround recommendation is removed from the advisory as precaution.
• 2007-03-13: Core releases this advisory.

-Fyodor
Insecure.Org [insecure.org]

Re:Advisory Timeline

which implies an attempted cover up.

Cover up? The OpenBSD team believed it was only a remote DoS vulnerability until proof of concept code was provided, and re-labeled it as such immediately.

What part seems suspicious to you?

Re:Advisory Timeline

A remote kernel panic is a reliability issue - you can't exploit a paniced system! The OpenBSD team couldn't see a way to exploit the issue, Core subsequently proved that a panic could be avoided and exploit code executed, at which time it was upgraded to a security issue by the OpenBSD team. No conspiracy necessary.

Re:Advisory Timeline

> Availability is a key facet of security. There's no fuckin' point having a "secure" system which you can't even use.

Sure there is. Think, for example, of a data warehouse containing social security numbers. Would you prefer that that system go down entirely, or that the contents of the database is exposed. A system that detects trouble and shuts itself down until someone fixes it sounds good to me.

Also, by your standards, a power failure is a security hole. That's just not true.

They've earned a mulligan, I think

I'll spot them some skepticism or overconfidence. It's been proven again and again that they're right to think OpenBSD is a hard target, so it's understandable that they wanted to see proof before bumping their counter up.

As for a "cover up"... well, if such a thing happend I'd say they must really suck at coverups, since we all know about it. :-)

Re:Advisory Timeline

I wouldn't call it a cover up. I would say its a case of overconfidence.

That could be. And don't get me wrong -- I'm a big OpenBSD fan and even have one of their posters framed and hanging in my home. But I think they could have handled this better. Given that security is their main selling point, I'd like to see the OpenBSD guys treat all buffer overflows as potentially exploitable. In this case, it appears that the fix to 3.9 and 4.0 branches was delayed for an extra week until Core produced a working remote root exploit. The problem with requiring a working exploit from bug reporters is that most of them lack the ability or inclination (or both) to produce one. This bug just happened to be reported by some of the best exploit writers in the world.

Also, even if the bug did only allow anyone to cause remote kernel panic on your OpenBSD firewall or server with a single packet, that is still a security vulnerability. They can call it a DoS vulnerability if they are sure one cannot lead to code execution.

-Fyodor [insecure.org]

Re:Advisory Timeline

it appears that the fix to 3.9 and 4.0 branches was delayed for an extra week until Core produced a working remote root exploit

I think this makes sense, to be honest. If it's just a DoS, then I'd rather not put the code in my kernel until it's been well tested (I can remote-reboot my machine, if all else fails, and then apply the patch). If it's a remote code execution then it's pretty hard for any change to make it worse.

I really like OpenBSD, but I really miss having an analogue of FreeBSD's portaudit utility. Since the source data used by portaudit provides OpenBSD and FreeBSD vulnerability info, I wonder if anyone has tried porting it...

Obligatory

It was as if several dozen antiquated nameservers suddenly cried out in pain"

Update the firewall?

Perhaps it would be better to update the kernel

Doesn't matter how good a C programmer you are

There will be buffer overflows. The solution is to not use C for handling data from over the network. Use a language that has memory safety. I think JNode [jnode.org] is on the right track. They have a small amount of code (assembly in this case) for running the virtual machine, and everything else is done in Java. Java has no memory access. Buffer overflows of a certain kind can exist but the standard buffer overflow exploit is nearly impossible.

I know, those who don't understand what I'm talking about will leap in and say, "Java has to run in a JVM and what language is the JVM written in? Ha! It's in C (or assembler) so it can still have buffer overflows!" This is so naive. First, the JVM runs Java code, which has no memory access. It does not run untrusted code handed to it over the net. Second, and most important, it is a very small piece of code with a rigorous definition of what it should do. It's possible to verify a small, rarely-changing bit of C code with a rigorous specification. It's not really possible to verify correctness of a huge constantly-changing C codebase, like the OpenBSD kernel and system utilities.

Anyway, trying to have a huge secure codebase in C is an exercise in futility, as OpenBSD has shown. Relative to other operating systems, OpenBSD is small and feature-poor. And their dev team must be among the best in the world for eliminating these types of bugs. And yet they still get bitten by them.

Re:Doesn't matter how good a C programmer you are

Even the on the Lisp Machines the "kernel" code was implemented with manual memory management. There's a very simple reason for this. How do you implement the memory manager? It's a chicken and egg problem, so the lowest levels always have to do memory management by hand.

Also, it's less efficient to simply use one heap for everything. Instead, an OS kernel written in a language with automatic memory management usually maintains large blocks of memory for the various tasks to work in, like an area for packet construction, an area for I/O buffers, etc. The automatic allocator and GC are told which area to work in, and then create or delete stuff in that area as needed.

So no, it's not generally reasonable to implement the lower levels of any OS with automatic memory management. You're free to try, though.

Barely "remote"

"remote" in this case only means "not local." It does not, in any way, mean "far away," as the attacker has to be able to inject fragmented IPv6 packets, which is extremely hard to control (impossible?) from the other side of a layer 3 device.

Re:Barely "remote"

From the exploit text:

However, in order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network

So nobody from the net can crack your machine, they must already me on your local net. This greatly reduces the scope of this attack.

OpenBSD - now TWICE as insecure

Wow, OpenBSD's security rating just went from "999,999" on a scale of 1 to a million to "999,998" on a scale of 1 to a million.

Holy Cow, an OpenBSD Vuln?

Thank GOD I run the company webserver on NT!

who the hell..

..uses IPv6? That's the first thing I turn off on every OS I've ever set up for a client (at least, ones where I can recompile the kernel).

This is about as interesting as finding a hole in Gopher. (Except, well, Gopher is something from the past, and IPv6 is perpetually in the future [any day now, we'll all switch!]).

I loved how core was...

gloating. Perhaps they know of an OS with a better record?

pablumfication

Can anyone explain what pablumfication means? The only hit [google.com] is the very same report. I thought maybe it was pablumification [google.com], but that only gets two more hits.

OpenBSD Website

From the OPENBSD Website:
Only two remote holes in the default install, in more than 10 years!

At least they don't hide it.

Needless sensationalism

This bug just crashes the machine. Anyone who uses a desktop or notebook knows that crashes happen from time to time, regardless of the OS. There is no known way to run attacker's code, and TFA suggests that there is unlikely to be one.

More popular than you thought

OpenBSD is only a target because it is so ubiquitous. If Microsoft windows ever becomes as popular, it too will become the target of such attacks. ;)

If only....

If only OpenBSD were suitable for anything beyond a firewall.

Fixed in OpenBSD 4.1

Fortunately, that bug has been fixed before the OpenBSD 4.1 CDs were sent to the press.

Can we now please stop using C?

Isn't it enough? even the best programmers can make a mistake with C (and no, it may be programmers that make the mistakes, but you have to be at least a Q in order to make an 100% correct C program).

Can we please stop using C?

http://it.slashdot.org/comments.pl?sid=224594&cid= 18191856 [slashdot.org]

Re:Can we now please stop using C?

No. Answer? C gives you more control over the hardware which is required for something like an OS. It also has things like "pointers" required for memory mapped I/O.

C++ ? Out of the question. Too many hidden operations make development a nightmare.
Java? Are you even kiddin me? (yes, I know there are Java OSes, how those working out for you?)
C#?..

ooh ooh I know, Perl!!!

If you want to reduce your bugs [in any language] simple steps

1. Design code that you can verify and test
2. Write modular code
3. Re-use code as much as possible

In this case, it seems the mbuf pointer gets changed before it's accessed later in the function. If they had tracked the life of that variable they would have spotted it. That type of error could have happened in any language.