Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Remote Exploit Discovered for OpenBSD

Posted by samzenpus on Thu Mar 15, 2007 01:13 AM
from the patch-it-up dept.
Security Operating Systems BSD
An anonymous reader writes "OpenBSD is known for its security policies, and for its boast of "only one remote exploit in over 10 years". Well, make that two, because Core Security has found a remotely exploitable buffer overflow in the OpenBSD kernel. Upgrade your firewalls as soon as possible."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Remote Exploit Discovered for OpenBSD 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Heh (Score:5, Funny)

    by cyberbob2351 (1075435) on Thursday March 15 2007, @01:20AM (#18358467) Homepage
    From TFA:

    Remotely Exploitable: Yes
    Locally Exploitable: No

    That right there is the biggest slap in the face! Everyone should have the freedom to fux0r their own machine!

    Opensource my ass...

  • Well done, the OpenBSD team. (Score:5, Insightful)

    by Anonymous Coward on Thursday March 15 2007, @01:21AM (#18358475)
    Well done. It's not an easy feat to create an OS with so little exploits. The team and Microsoft should take a leaf out of your book.

    • Re:Well done, the OpenBSD team. (Score:5, Insightful)

      by Kandenshi (832555) on Thursday March 15 2007, @01:38AM (#18358579)
      I heard a rumour that Microsoft did indeed look to the idea of emulating OpenBSD's security practices as a company.

      Then someone pointed out the respective revenues of OpenBSD vs Microsoft, and the whole idea just seemed to evaporate.

      Someone decided that people don't care enough about the number of remote exploits found in a given OS. They were probably right.

      • I heard a rumour that Microsoft did indeed look to the idea of emulating OpenBSD's security practices as a company.

        Then someone pointed out the respective revenues of OpenBSD vs Microsoft, and the whole idea just seemed to evaporate.

        My company makes far more than the OpenBSD team brings in, and yet we still respect them and try to emulate their practices. I'm not sure what kind of hubris it takes to dismiss someone's ideas just because you have more money.

      • Re:Well done, the OpenBSD team. (Score:5, Funny)

        by Tom (822) on Thursday March 15 2007, @04:39AM (#18359333) Homepage Journal

        It is when basically the only thing your OS does "in the default install" is allow SSH logins.
        Which is more remote access than a default install of Windos contains. ;-)

        Ok, make that "more intentional remote access"...
      • The default install of OpenBSD includes (from memory, so this is not exhaustive) SSHd, bind, apache and sendmail, all of which are included in the term 'Only two remote holes in the default install' - those codebases are as rigourously audited as anything else.

          • Re:Well done, the OpenBSD team. (Score:5, Informative)

            by TheRaven64 (641858) on Thursday March 15 2007, @05:50AM (#18359617) Homepage Journal
            Note that many Sendmail and Apache exploits do not affect OpenBSD, for two reasons:
            1. The kernel contains a lot of exploit mitigation stuff, that may well turn an arbitrary code execution into a DoS.
            2. OpenBSD doesn't actually include Sendmail or Apache, it includes forks of both. These are heavily audited by the OpenBSD guys, and not all of the changes are merged upstream.
            When a new category of bug is found in OpenBSD, the entire tree is searched for occurrences of it. This often means that seemingly innocuous changes in something like OpenBSD's httpd turn out to have fixed things that are later found to be security holes.

  • It's a feature (Score:4, Funny)

    by andy314159pi (787550) on Thursday March 15 2007, @01:21AM (#18358479) Journal

    Vulnerability Description
    The OpenBSD kernel contains a memory corruption vulnerability in the code that handles IPv6 packets. Exploitation of this vulnerability can result in:
    1) Remote execution of arbitrary code at the kernel level on the vulnerable systems (complete system compromise), or;
    2) Remote denial of service attacks against vulnerable systems (system crash due to a kernel panic)

    I think they just found the Windows2003 Server Emulator.

    • Re:It's a feature (Score:5, Informative)

      by ArsenneLupin (766289) on Thursday March 15 2007, @02:43AM (#18358861)

      I think they just found the Windows2003 Server Emulator.
      Joking aside, finding a bug in BSD networking code could indeed mean that various Windows versions have that very same bug. Hats, to your keyboards!

  • Advisory Timeline (Score:4, Interesting)

    by fv (95460) * <fyodor@insecure.org> on Thursday March 15 2007, @01:26AM (#18358499) Homepage

    I'm a bit surprised that the summary didn't mention the rather interesting timeline in the Core advisory [seclists.org], which implies an attempted cover up. I don't know all the facts, so I'll let the document speak for itself:

    • 2007-02-20: First notification sent by Core.
    • 2007-02-20: Acknowledgement of first notification received from the OpenBSD team.
    • 2007-02-21: Core sends draft advisory and proof of concept code that demonstrates remote kernel panic.
    • 2007-02-26: OpenBSD team develops a fix and commits it to the HEAD branch of source tree.
    • 2007-02-26: OpenBSD team communicates that the issue is specific to OpenBSD. OpenBSD no longer uses the term "vulnerability" when referring to bugs that lead to a remote denial of service attack, as opposed to bugs that lead to remote control of vulnerable systems to avoid oversimplifying ("pablumfication") the use of the term.
    • 2007-02-26: Core email sent to OpenBSD team explaining that Core considers a remote denial of service a security issue and therefore does use the term "vulnerability" to refer to it and that although remote code execution could not be proved in this specific case, the possibility should not be discarded. Core requests details about the bug and if possible an analysis of why the OpenBSD team may or may not consider the bug exploitable for remote code execution.
    • 2007-02-28: OpenBSD team indicates that the bug results in corruption of mbuf chains and that only IPv6 code uses that mbuf code, there is no user data in the mbuf header fields that become corrupted and it would be surprising to be able to run arbitrary code using a bug so deep in the mbuf code. The bug simply leads to corruption of the mbuf chain.
    • 2007-03-05: Core develops proof of concept code that demonstrates remote code execution in the kernel context by exploiting the mbuf overflow.
    • 2007-03-05: OpenBSD team notified of PoC availability.
    • 2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source tree branches and releases a "reliability fix" notice on the project's website.
    • 2007-03-08: Core sends final draft advisory to OpenBSD requesting comments and official vendor fix/patch information.
    • 2007-03-09: OpenBSD team changes notice on the project's website to "security fix" and indicates that Core's advisory should reflect the requirement of IPv6 connectivity for a successful attack from outside of the local network. 2007-03-12: Advisory updates with fix and workaround information and with IPv6 connectivity comments from OpenBSD team. The "vendors contacted" section of the advisory is adjusted to reflect more accurately the nature of the communications with the OpenBSD team regarding this issue.
    • 2007-03-12: Workaround recommendations revisited. It is not yet conclusive that the "scrub in inet6" directive will prevent exploitation. It effectively stops the bug from triggering according to Core's tests but OpenBSD's source code inspection does not provide a clear understanding of why that happens. It could just be that the attack traffic is malformed in some other way that is not meaningful for exploiting the vulnerability (an error in the exploit code rather than an effective workaround?). The "scrub" workaround recommendation is removed from the advisory as precaution.
    • 2007-03-13: Core releases this advisory.

    -Fyodor
    Insecure.Org [insecure.org]

    • Re:Advisory Timeline (Score:5, Interesting)

      by evilviper (135110) on Thursday March 15 2007, @01:38AM (#18358585) Journal

      which implies an attempted cover up.

      Cover up? The OpenBSD team believed it was only a remote DoS vulnerability until proof of concept code was provided, and re-labeled it as such immediately.

      What part seems suspicious to you?

      • Re:Advisory Timeline (Score:5, Informative)

        by fv (95460) * <fyodor@insecure.org> on Thursday March 15 2007, @02:45AM (#18358873) Homepage

        I wouldn't call it a cover up. I would say its a case of overconfidence.

        That could be. And don't get me wrong -- I'm a big OpenBSD fan and even have one of their posters framed and hanging in my home. But I think they could have handled this better. Given that security is their main selling point, I'd like to see the OpenBSD guys treat all buffer overflows as potentially exploitable. In this case, it appears that the fix to 3.9 and 4.0 branches was delayed for an extra week until Core produced a working remote root exploit. The problem with requiring a working exploit from bug reporters is that most of them lack the ability or inclination (or both) to produce one. This bug just happened to be reported by some of the best exploit writers in the world.

        Also, even if the bug did only allow anyone to cause remote kernel panic on your OpenBSD firewall or server with a single packet, that is still a security vulnerability. They can call it a DoS vulnerability if they are sure one cannot lead to code execution.

        -Fyodor [insecure.org]

  • Barely "remote" (Score:5, Informative)

    by _iris (92554) on Thursday March 15 2007, @01:36AM (#18358559) Homepage
    "remote" in this case only means "not local." It does not, in any way, mean "far away," as the attacker has to be able to inject fragmented IPv6 packets, which is extremely hard to control (impossible?) from the other side of a layer 3 device.

    • Re:Barely "remote" (Score:5, Informative)

      by pchan- (118053) on Thursday March 15 2007, @01:45AM (#18358617) Journal
      From the exploit text:

      However, in order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network


      So nobody from the net can crack your machine, they must already me on your local net. This greatly reduces the scope of this attack.

  • Holy Cow, an OpenBSD Vuln? (Score:5, Funny)

    by Anonymous Coward on Thursday March 15 2007, @01:49AM (#18358651)
    Thank GOD I run the company webserver on NT!

  • OpenBSD Website (Score:5, Informative)

    by Anonymous Coward on Thursday March 15 2007, @03:45AM (#18359123)
    From the OPENBSD Website:
    Only two remote holes in the default install, in more than 10 years!

    At least they don't hide it.

  • Forced release? (Score:5, Insightful)

    by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Thursday March 15 2007, @09:47AM (#18361099) Homepage Journal

    FTFA:

    2007-02-21: Core sends draft advisory and proof of concept code that demonstrates remote kernel panic.
    2007-02-26: OpenBSD team develops a fix and commits it to the HEAD branch of source tree.
    [...]
    2007-03-05: OpenBSD team notified of PoC availability.
    2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source tree branches and releases a "reliability fix" notice on the project's website.
    [...]
    2007-03-13: Core releases this advisory.
    Release Mode: FORCED RELEASE

    Kudos to Core Security for finding an exploit in OpenBSD code. Seriously, that's impressive. However, it sounds like they're a little too pleased with themselves. "Forced release"? I guess that's technically true, in the sense that a feather exerts a gravitational force on the Earth.

    In a nutshell, they reported a problem and OpenBSD fixed it. Then they demonstrated that it was a more serious problem, and OpenBSD backported the fix to the current releases and announced it on their website. After reading the whole timeline, I'm not sure what else they were supposed to have done so that Core wouldn't be "forced" to announce the vulnerability that OpenBSD publicized on their own site as a "security fix" three days earlier.

    • Re:Moo (Score:5, Funny)

      by noz (253073) on Thursday March 15 2007, @02:09AM (#18358743)

      See! I told you ipv6 was evil!
      You mean ipv666 don't you?

      • Wrong... (Score:5, Interesting)

        by Phil John (576633) <phil@webst[ ]ltd.com ['ars' in gap]> on Thursday March 15 2007, @05:05AM (#18359431)

        ...it's roughly 5.67137278 × 10^28 IP's per person

        Or, as a recent Ars article [arstechnica.com] put it (much better than I ever could):

        To put this into perspective: there are currently 130 million people born each year. If this number of births remains the same until the sun goes dark in 5 billion years, and all of these people live to be 72 years old, they can all have 53 times the address space of the IPv4 Internet for every second of their lives. Let nobody accuse the IETF of being frugal this time around.
    • No. Answer? C gives you more control over the hardware which is required for something like an OS. It also has things like "pointers" required for memory mapped I/O.

      C++ ? Out of the question. Too many hidden operations make development a nightmare.
      Java? Are you even kiddin me? (yes, I know there are Java OSes, how those working out for you?)
      C#?..

      ooh ooh I know, Perl!!!

      If you want to reduce your bugs [in any language] simple steps

      1. Design code that you can verify and test
      2. Write modular code
      3. Re-use code as much as possible

      In this case, it seems the mbuf pointer gets changed before it's accessed later in the function. If they had tracked the life of that variable they would have spotted it. That type of error could have happened in any language.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.